It turns out that that was a mistake. Yes, some accounts were compromised – but Xero meant to send the alert only to active users in Australia, rather than around the world.
The company confirmed the boo-boo in a blog post , although it chose to paint the goof as a “useful and timely reminder to change your passwords frequently.”
Nice spin for what was clearly an error that would have given some users the jitters (especially when the version of the Xero website local to their territory shared no further information and their Twitter account was silent), but I’m not sure it’s entirely sensible.
In my opinion, frequently changing your passwords is not a good idea. Indeed, I think that the reasons why you should change your passwords are fairly easy to describe:
1. If you believe your password has been compromised – perhaps because you shared it with someone else.
2. If you believe that your password is weak, or you are using the same password anywhere else.
Because if you have chosen a strong, complex, hard-to-crack, unique password – why bother changing it “frequently” as Xero suggests?
Indeed, when users are told to change their passwords frequently (I’m thinking in particular of some corporate environments where staff are forced to change their passwords every X weeks) that they often will choose poor passwords.
It’s all too easy to imagine users, who find it tricky to remember passwords, choosing dumb passwords like “XeroJanuary”, “XeroFebruary”, “XeroMarch” or some similar sequence which is all too predictable.
Maybe some will consider me nit-picking on this point, and that’s probably a fair assessment.
To balance things out, I’m pleased to see that Xero is increasing account security for users with a couple of new features.
Firstly, the site will now allow you to check both when you last logged in and the apparent location (based upon IP address) of where those logins originated. This clearly could help someone notice that their account might have been accessed by an unauthorised user.
Furthermore, Xero reports that it is hoping to introduce a form of two-step authentication soon:
We are currently testing additional Two-Step Authentication (2SA) and will release that as soon as we can. This will provide a further layer of protection. Under 2SA you will need to enter a Time-based One-time Password (TOTP), which will be generated by an authenticator app you’ve installed on your phone or other smart device, and you would need both your password and the TOTP to gain access to Xero.
This seems like a positive step, because anyone who managed to steal a Xero user’s username and password (whether it be via phishing or keylogging spyware) will not be able to access their online accounts without also having access to the one-time password.
It goes without saying that none of this obviates the need for close attention to the websites you visit (especially when you might be asked to enter your password) and strong, up-to-date anti-virus protection on computers.
Many small companies use Xero to manage their finances, so it’s good to see the service strengthening its security.
Read more on the Xero blog.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.