Lies, Damn Lies, and PHP Benchmarks

I need to get something off my chest. First, I’d like you to examine the following code:

 
class Test
{
    public function output ()
    {
        return 'Hello, world!';
    }
}
 
function test ()
{
    return 'Hello, world!';
}
 
$start = microtime(true);
for ($i = 0; $i < 10000000; $i++) {
    test();
}
printf("%0.2f seconds for 10 million function calls.\n", microtime(true)-$start);
 
$start = microtime(true);
for ($i = 0; $i < 10000000; $i++) {
    $c = new Test();
    $c->output();
}
printf("%0.2f seconds for 10 million class calls.\n", microtime(true)-$start);
 
// Outputs about 4.9 seconds for the first and 7.9 for the second on my system.

How many times have you seen a benchmark like this passed off as proof of some facet of PHP’s behavior, particularly relating to classes versus functions? Next, ask yourself: What does this “benchmark” prove?

The answer: Absolutely nothing. Most developers are already aware (or should be) that instantiation of a class invokes a fair amount of overhead not present with functions in PHP. Yet time and again, whenever I encounter a discussion relating to PHP best practices or performance, I find comments that allude to any of the following:

  • PHP is not Java!
  • ${framework} uses classes, therefore ${framework} is slow!
  • PHP is a templating language. Replicating OOP concepts in PHP is overkill/stupid/slow.

Usually, but not always, one (or more) of the above opinions is presented with an allusion to benchmarks not all that dissimilar from the horrible, horrible sample of code at the beginning of this post. Why?

I don’t have a good answer, but I suspect it’s because PHP is one of the most oft-benchmarked scripting languages of our time, probably because the barrier to entry is so low. The worst part? No one knows how to benchmark. Granted, I’m guilty of the same charge, and I’ve published awful benchmarks in the past somehow “proving” (for some value of proof) that a specific feature is slower than another. So, as penance for my own wrongdoings, I want to make a point, and I want to make it as clear as I possibly can.

Your PHP benchmarks are wrong.

Don’t feel bad, though. Nearly all of them are wrong, including most hardware benchmarks. The reason for this is benchmarks, by their nature, are synthetic, and the nature of a synthetic benchmark is such that it fails to capture real world behavior. If you want to create a realistic benchmark, you’re going to have to put an awful lot of work into emulating a full stack, and the only way to do this correctly is to effectively write a small application. You can’t simply toss a few function calls into a for loop and call it a day. But the problem with this approach is that once you’ve implemented a demonstration application, you’re no longer benchmarking the language–you’re benchmarking your library or application. The only way you can really benchmark a language is to do so in a manner that can be replicated across multiple platforms in a manner that each are roughly equivalent and the benchmark captures the relative performance of each.

If you don’t buy that argument, I’d suggest you look at the TechEmpower framework benchmarks. They’ve put a lot of work into creating a fair, realistic collection of benchmarks for dozens and dozens of frameworks for each of the popular languages. If you’re not willing to invest a similar magnitude of effort into your own benchmarks, you’re not going to prove anything. You won’t prove that a specific language feature is too slow to use, you won’t prove that functions are better than classes, and all you’re going to accomplish is wasting your time–and worse–your readers’ time.

I’ll explain further, but before I delve into greater detail about why looping over a function ten million times proves absolutely nothing, I want to demonstrate by example. Nothing beats a good illustration to broaden one’s horizons, so I’ve fabricated a slightly less terrible benchmark than the code snippet that began this post.

A Slightly Less Terrible Benchmark

This benchmark is intended to illustrate two objectives: 1) That PHP language features don’t differ by much in terms of performance relative to each other and 2) that simple benchmarks are effectively pointless and only prove what the author intends for them to prove. The benchmarks are broken down into six files:

  • out-class-inheritance.php – Uses class inheritance to output a short string.
  • out-class-interface-inheritance.php – Uses an interface to define class methods and inheritance to output a short string.
  • out-class-interface.php – Uses an interface to define class methods to output a short string.
  • out-class.php – Use a simple class to output a short string.
  • out-class-static.php – Uses a static method of a class to output a short string.
  • out-function.php – Uses a single function to output a short string.

Each benchmark was run three times using Apache Bench (ab) on Arch Linux with a concurrency of 10 across 10000 runs. In keeping with the tradition of poorly designed benchmarks, ab was run on the same system as the web server. It’s a terrible idea, I know, but we’re only measuring approximate performance of individual language features with the intent to prove that there isn’t a substantial difference.

Note that I won’t include the sources to this benchmark here. If you want to examine them, please review this Gist. They’re about as simple as the code fragment at the top of this post and only slightly less stupid.

Performance

Unsurprisingly, for all intents and purposes, each test performed approximately the same. I noticed that tabbing between the shell and my browser introduced sharp drops in performance, so a handful of these had to be re-run from the start. So, I suspect that the reductions in performance as seen for the inheritance and interface tests were likely introduced by system variability. Yes, inheritance should be slightly slower (more overhead) but it’s not substantially slower:

  • out-class-inheritance.php – 15407 req/s, 0.65s total
  • out-class-interface-inheritance.php – 14854 req/s, 0.674s total
  • out-class-interface.php – 14568 req/s, 0.688s total
  • out-class.php – 15367 req/s, 0.651s total
  • out-class-static.php – 15633 req/s, 0.64s total
  • out-function.php – 15146 req/s, 0.66s total

Are these results surprising? They shouldn’t be. This is a benchmark and benchmarks lie. My benchmark lies because it isn’t illustrative of real world use, and as such, these numbers mean absolutely nothing. Well, okay, my results are suggestive that if all things are equal, OOP versus functional design is a meaningless argument. But these results don’t matter because no one in their right mind is going to have an application that consists of a small single class or function. Likewise, no one’s going to run the same function or instantiate a class a few million times in their app and call it good. At least, I’d hope not.

What this does illustrate is that a benchmark can be manipulated to produce desired results, and they can be interpreted with greater variability than most religious texts. While I’d like to believe this benchmark demonstrates that there’s little difference between PHP language features, it isn’t exhaustive enough to measure the impact of specific design decisions. Nor should it, because PHP doesn’t exist in a vacuum and naive designs fail to account for realistic implementations.

The problem, then, is that benchmarks running a small sample of code a million times fail to account for the broader design of a full application, which might be comprised of a few dozen functions, classes, hundreds of queries and so forth. No one class is going to be run a million times for every hit (or it shouldn’t be), and neither will any one function. More importantly, as my benchmarks demonstrate, the real bottleneck is going to be network I/O, followed by disk, and with rare exceptions (and a distant third), the CPU. For dissenters, I would wager that you’re going to encounter network limitations well before any hypothetical “classes are slower than functions” condition is met. Moreover, because the PHP VM is rather slow, it won’t matter a great deal how your application is structured anyway. An application written in Go or C++ is going to perform several orders of magnitude faster than you PHP app. For that matter, an application written using Python, Gevent, and Gunicorn would also render your pet PHP constructs a rather embarrassingly distant last place. Save for frameworks written in C (Phalcon) or new clean-room PHP implementations (like HHVM), the entire debate over classes versus functions is a rather silly one, isn’t it?

Benchmarks are Relative

I can’t emphasize how fascinating and well designed the TechEmpower benchmarks are for illustrative relative performance among different languages and frameworks. That said, I must emphasize again that nothing exists in a vacuum. PHP classes or functions aren’t solitary constructs. They’re running in unison with a web server, a database engine of some sort, and possibly dozens of other platforms, each with a certain amount of overhead or latency, and even network topography can impact service behaviors in suboptimal ways.

What burns me the most is that there is this small population of noisy magpie-like developers pushing against efforts to improve PHP development (like the improvements in the PSR series) toward sensible standards. While this population is diminishing, I still see comments from time to time on sites like Hacker News that effectively blame OOP design for PHP’s comparatively poor performance on the web framework benchmark, particularly for frameworks like Symfony. Yet Facebook’s HHVM and, to a lesser extent, the Phalcon PHP framework have demonstrated that this need not be the case. Why is PHP plagued with this sort of nonsense? I have no idea.

Consider for a moment the benefits gleaned from the PSR standards like PSR-0 autoloading and the fairly recent explosion in the number of libraries that, thanks to Composer and Packagist, can be included in any project with little effort. Furthermore, clean design and implementation induces new momentum in the PHP community that will hopefully render spaghetti code like that in projects using archaic practices (vBulletin and IP.Board, I’m looking at you…) a forgotten memory. OOP isn’t a panacea, but when used correctly, it encourages code reuse and generally reduces the time spent on implementation. It’s disappointing that there are musings in the community about whether or not OOP practices have a place in PHP. If you don’t think OOP belongs in PHP, then I suspect you’ve missed that debate by about a decade and a half. Better late than never, right?

Fortunately, as Composer and Packagist have illustrated, such opposition to modern PHP design is constrained to a tiny and ever-dwindling population of the PHP community (I’d actually wager it’s mostly people have have merely dabbled in PHP and don’t currently write much code in it, if any). PHP has its warts, but modern PHP largely abolishes or mitigates some of the worst parts of the language. That isn’t to say PHP is a beautiful language (it’s not), but it doesn’t have to be beautiful to be useful. Perl taught us that lesson years ago.

I think I see an older gentleman in the back with a long gray beard laughing. See? He gets it.

No comments.
***

Extraterrestrials, Rectal Probes, and Infographics

A couple of months ago, an infographic was making its rounds in the Internet titled “Let’s Say (for whatever reason) You’re the First Human Ever to Make Alien Contact”, and I wrote this response almost immediately but neglected to publish it mostly because I wanted to revisit my thoughts at a later date. To wit, it’s certainly a thought-provoking piece and its author raises a number of clever points (peppered with observations). I just can’t shake the feeling that its primary purpose is to provide entertainment and, possibly, elicit conversation. There’s nothing wrong with either circumstance, so I won’t fault the creator, but I certainly advise against taking it seriously. I’m sure it wasn’t exactly intended to be taken seriously but not everyone is likely to catch on. Indeed, it seems from many of the comments that I’ve seen crop up whenever this image makes the rounds, no one has caught on. In other words, it’s full of hot air.

I admit that I really enjoy this sort of thing, and thought games are a fantastic waste of an evening, but I’ll warn you that I have no experience that enables me as an authoritative critic. I just like code, Linux, technology, and building things. I’m neither an astronomer nor a biologist. I’m not a physicist nor am I a mathematician. I enjoy articles written by people much smarter than I, and being a skeptic at heart whenever the masses get riled up about the latest fad, I can’t help myself from examining the subject more closely.

I’ll warn that this article is primarily an opinion piece. There’s no solid information contained within, and it’s even less likely to contain intelligent musings that are my own. Many of the ideas expressed here are just parroted from other sources that have a better handle on the subject (scientific journals, other sites and web personalities, my dad). I can’t credit myself for much more than assembling a handful of disconnected thoughts tangentially related to “first contact.”

So, let’s begin.

First, I want to discuss a little bit about the basic premise of first contact illustrated in the infographic and often repeated in pop culture. It’s wrong. Aliens are not going to make first contact with some random Joe Schmoe on the streets (see below). Instead, they’re much more likely to observe our civilization indirectly, gathering information pertaining to their curiosities, and then–without us ever knowing–they might just leave. That’s right: First contact may have already happened and we’ll never know. Of course, assuming we don’t nuke ourselves back into the stone age or somehow make landfall on a distant star system before our Sun decides to cannibalize its progeny, we might bump into them again. (Hey, remember that planet you came from? We visited you about 200,000 years ago and you didn’t blow yourselves up. I’m proud. Maybe you can make it another 200,000 years?) In this scenario, there’s no point to further discussion. They came, they saw, they left. For most sufficiently advanced civilizations interested in us solely as a celestial curiosity, that’s probably as far as they’ll go (assuming they don’t have proxies). There’s nothing we can provide them apart from satisfying their own scientific curiosity in terms of observing other marginally intelligent life. Well, mostly.

There is one other reason we might make first contact and know it: They need us. I don’t mean they’ll land outside the Whitehouse and start playing sappy love songs, either. If they need us–and I mean really need us–it’s because they’re looking for something. It won’t be oil; hydrocarbons of various grades are moderately common in our own solar system. It won’t be water, because that’s all over the place. It won’t be rock, steel, diamonds, or Russian brides. But it might just be proteins, chlorophyll and other organically-created compounds that aren’t readily available elsewhere. That’s right, they might just be hungry and we’re their next meal. But, I wouldn’t worry myself about this too much. If the aliens are able to reach us here and they want to eat us, there’s nothing we’ll be able to do to stop them outside of giving them a righteous case of heartburn. I know you’ve seen Independence Day. I know you’ve seen other flicks where humans arise victorious in the face of insurmountable odds. I also know you’ve never seen a coup de slaughterhouse, lead by the cattle mutineer, bravely fighting the human tyranny of his people.

Oh, but we’re smarter than cattle, you say. Sure, and I’d bet you’d turn down a trip across the galaxy if the aliens offered it to you with no strings attached (except for the fine print). Think of it this way: The operator of some celestial alien amusement park offers free rides to the first 100 people except that they never return. Maybe that’s the schtick, “Come to Planet Paradise! It’s everything you’ve ever wanted! Stay a while, stay forever!” I’d imagine there’d be droves of people lining up. Limiting travel to the able-bodied would filter out the unfit, disease-ridden subjects rendering (heh…) post-processing just a little bit easier. Bon appétit!

Most likely, though, they won’t be here in person (unless they like really fresh produce). Instead, it’d be more likely and more efficient to send the interstellar equivalent of a factory ship that harvests, collects, processes, and cans organic materials in a single sweep. Heck, I doubt it’d be a matter of packaging “dolphin-free tuna” or soylent green (remember, it’s people! Well, except in the book…). Instead, we might just encounter giant factory ships that suck up all the organic compounds on a given world, process it into a mostly homogenous slurry, and dispose of anything they don’t want as waste. I’ll bet you’ve never seen a pooping spaceship before, have you?

If you’ve never seen a meat emulsion, I’d highly recommend it so you have a better picture of what I’m talking about. The exception in this case being that it’d be an emulsion of everything evolution has (had?) to offer sloshing about billions of storage tanks at a comfortable -100°C.

Even if they don’t want to eat us, chances are they won’t send a biological emissary (leastwise, one that hasn’t been engineered), and I would find it highly unlikely they’d send a member of their own species–with the notable exception of the “Star Trek Paradox“.

They Sent a Robot Army

One only needs to look outside the periphery of our own planet to catch a glimpse of the most likely sort of first contact: Robotic probes. We’ve sent probes in orbit, to the Moon, to each of the planets (and beyond), and we’re even doing some really amazing science on Mars. If we can do it, there’s no reason more advanced civilizations can’t do it on an interstellar (if not intergalactic) scale. The crux of this argument essentially boils down to first contact being made by cold, heartless probes (again, ignoring bioengineering for a moment) that snap a few pictures and shuttle them back to some central data store for further processing. Then again, such probes might possess a great deal of artificial intelligence and decide we’re not worth it after a few nanoseconds of deliberation.

I can’t say I blame them.

The ironic thing in this case is that, pending a fully robotic canning ship that’s come here for some distant civilization’s next meal, an alien intelligence-gathering probe might be somewhat less hazardous to encounter and a million times more friendly. Well, assuming we could even recognize it as an alien device. For all we know, such probes might be microscopic, or they might even be disguised as a small space rock that happens to be on a really weird trajectory. Bat ‘er up!

They Don’t Want You for Tea

If we can assume for a moment that our poor lost soul who happened to be abducted is aboard an alien vessel, it won’t be for tea. And chances are, our subject won’t make it out alive. If the aliens have taken sufficient interest in poor Mr. Schmoe, it’s probably to examine his biological features further than their highly advanced scanners may be unable to ascertain. Such questions as “At what atmospheric pressure does Mr. Schmoe fail to live at?” or “Can Mr. Schmoe breathe water, sulfur dioxide, cyanide, or any number of substances and at what quantity?” In all likelihood, Mr. Schmoe will just be one poor Schmoe in a sea of Schmoes, all collected randomly to limit statistical outliers, each cataloged from point of discovery to time of death.

This may seem appalling to some, but I want you to take a moment to think about biologists studying a new species for the first time. Biologists first observe, then collect, then dissect. Collected specimens may or may not be returned to the ecosystem from which they were recovered, and even if they were released, they probably wouldn’t have the means of returning home. Likewise, specimens are not always left in one piece. It’s not that biologists want to brutally murder previously unseen organisms as much as it is simply an artifact of science. Sometimes creatures just die because they’re stressed or because they’ve been removed from an environment they’re adapted to and placed inside one they’re not. Besides, sometimes (okay, most times) creatures can’t tolerate being dissected for very long before expiring, and for the most part, complex organisms don’t function particularly well as a disassembled puzzle.

What I’m hinting at here is that no amount of Crazy Glue is going to put Aunt Suzie back together after the Rectoids are done with her. It’s kind of like a human Humpty Dumpty.

While an advanced civilization undoubtedly has techniques to non-invasively examine living organisms, such scanners may not be able to tell the whole story. Neither is observation fully unlimited in its pursuits. Collectively, a variety of tools could be used to determine our chemical composition, what we eat, how we interact, and (very generally) the environmental conditions we tolerate. An astute civilization could deduce a great deal from direct and indirect observations alone, including metrics like population distribution (the relative lack of settlements in Antarctica would indicate we don’t do well below certain temperatures), farming techniques and subsequent food consumption, and technological achievements. But there are very few substitutes for outright killing an organism to determine its absolute boundaries. And, well, few alternatives beat violating its external boundaries to see how it ticks.

Think of it this way: If we encountered a potentially dangerous but otherwise technologically inferior species that was not like us, what would we do? We may try to avoid provocation through direct assault, but if a few of our scientists got killed, it’s unlikely anyone would feel all that upset if we snagged a handful for experimental purposes. And, of course, by “experimental” I mostly mean “figure out the quickest way to kill these things in case they get out of hand.”

Now, imagine going up against a primitive organism that was dangerous and bred like rabbits. You scoff, but with almost 7 billion people on the planet, “dangerous bipedal apes with rabbit-like reproductive skills and access to weapons of mass destruction” sort of fits the bill. Who knows? Maybe the aliens coming here are a sort of cosmic Orkin man hired to get rid of a human infestation.

The Star Trek Paradox

I have no idea if this is a “thing.” In fact, it probably isn’t, because I doubt anyone outside sociology would be dumb creative enough to think this one up. On the other hand, because rule #34 of the Internet applies surprisingly well outside the realm of smut insofar as “if you can think of it, it exists,” this probably is a thing. If it’s not, it is now.

The paradox essentially goes like this: Civilization A has had X decades/centuries/millennia to think up crazy ways to greet less advanced civilizations. They stumble upon evidence of Civilization B. They observe Civilization B. Then, for whatever reason–maybe it’s because B makes some killer pork ribs or because B just discovered the Warp Drive–A decides to make contact. Maybe they remember that one time some four thousand years ago when they collectively thought “It’d be rad if aliens totally landed on our capitol building and started doing a jig.” Maybe it’s a spur of the moment thing. Either way, in spite of their ridiculously advanced technology and capability to annihilate B a million times over without so much as breaking a sweat, they decide to plop down in a vacant parking lot outside a truck stop just to say “Hi.” It doesn’t make much sense, because the backwards Bs are of absolutely now use to the Awesome As.

Now, this isn’t so much a paradox as much as it is a plot device to explain where Vulcans came from and to provide TNG: First Contact with a semi-believable story arc–if you can believe all aliens look exactly like us and have all of the same features. That said, having the technology to silently observe any given civilization from the safety of your own roost hundreds–if not thousands–of light years away only to pop out of the shadows like gleaming targets for a bunch of bucktoothed hillbillies (who undoubted hold a bit of a grudge against aliens anyway since they swear their Uncle Bob was abducted a few years prior and probed in the anus with a phallic metal object) sort of doesn’t make any sense. Paradox or not, it seems a bit like suicide, or perhaps their culture views such vulnerability as a sign of peace.

I can only imagine the end of human civilization beginning with the phrase: “Hey, ya’ll, they isn’t one of us!”

The Star Trek Paradox neatly outlines the implausibility that a civilization would just happen to show up the moment we make a ground breaking discovery–or for any reason, really–just because they happen to think “it’s time.”

First, while we haven’t yet invented a warp drive, the destructive specter of atomic weaponry has existed for more than half a century. One might think that it would be more pertinent to visit a promising civilization before it annihilates itself, thus ushering in an era of peace and prosperity (or speed up the process by provoking our benefactors into doing the dirty work for us). Second, just because a civilization might suddenly be capable of transiting among star systems doesn’t mean it’s any more “ready” than it was previously. It just means that civilization is capable of bringing its bad habits with it even further than before. Going from Earth-bound to the-galaxy-is-our-playground overnight isn’t going to suddenly change our behavior, and if you disagree with that sentiment, I’d like you to ask American natives how that whole European thing worked out for them.

I could be completely wrong since I’m not an alien, but the Star Trek Paradox is something that makes little rational sense and probably has even less bearing on reality.

What if it Happens Anyway?

So, let’s just assume first contact happens anyway either because of the Star Trek Paradox or because these aliens are feeling exceptionally cheeky and get their jollies out of scaring the organic refuse out of lesser species. The question is: Do you need to know math?

The answer: No.

Before I explain why, I’d like to point out that the infographic (linked earlier in this post) has a single, very significant contradiction. First, it suggests the aliens contacting us would possess technology so far beyond anything we can comprehend that we’d be better off doing nothing. Then, it suggests that we would need to resort to demonstrating some capability of math and scientific understanding as if they’re completely oblivious to everything we’ve done. I’m sorry, but I don’t buy it; if an alien civilization were to make contact (with good intentions), you can bet they’d observe us to gain a better understanding of our capabilities.

Instead, they’d watch the construction of buildings and roadways, which demonstrates a knowledge of architecture (and by extension trigonometry) and engineering. They’d observe aircraft and satellites, both of which demonstrate aeronautical progress beyond a simple “sticks and stones” society. They’d detect radio emitters peppered across the planet and probably try to decipher it. But perhaps most importantly: Their advanced technology wouldn’t preclude a basic understanding of sociology and behavioral patterns. Indeed, they might try to determine who the leaders were and make contact with them directly. After all, if their civilization were anything like ours, it would behoove them to avoid abducting a random stranger wandering the woods late at night. While such a person would be representative of the general population (and what they know), such a find is mostly useless outside of playing biologist (see above).

Leaders have a certain amount of influence over their tribe. Think about human history and instances where first contact was made between various civilizations. Invariably, the leadership of those making landfall sought out the leadership of whatever natives they encountered. Of course, they mercilessly slaughtered them in most cases–or in the case of the Chinese, abducted the king of Sri Lanka to personal apologize to the emperor for insulting his troops–but generally speaking, enterprising explorers often sought out leadership. There are exceptions, mind you, but fortunately most of those involved sport–like hunting.

To this extent, the old first encounter joke “take me to your leader” and its derivatives might not be so far off. Assuming some backwater hillbilly happens to be the target of our future encounter with aliens, it’s doubtful that he or she will need to be well versed in binary arithmetic or anything else. Considering the absolute shock of encountering a highly advanced race for the first time, it probably wouldn’t matter if the subject of our discussion was a mathematician or not. For something as historic and important as a first encounter that could potentially change the fate of our species, most people would probably have the first reaction of running to the hills.

“Z’katek. You did it again. You scared them off.”

“I know, B’thuk. So much for asking directions to the nearest fueling station.”

Joking aside, if a civilization isn’t bent on destroying us and is genuinely curious about the human species as a whole, I can almost completely guarantee that we will likely never encounter them. Indeed, I suspect that they would be more likely to observe us at a distance, gather whatever it is that suits their curiosity, and then leave. They might take a memento or two, and not the biological sort, so such a circumstance would be punctuated by the mystery of a missing satellite. You can tell quite a bit about a culture’s technology, capabilities, influence, and more by simply snagging a piece of their work. For an advanced society that came here to observe, snagging a satellite might be a perfect sample as it illustrates (roughly) our computing capabilities, communications capabilities, and how we’ve discovered to best align or control objects in microgravity–all of which are important in ascertaining whereabouts on the technology curve human civilization lies.

So no, I don’t think it’s necessary that everyone be well versed in what to do when encountering aliens. Such a discussion is only useful as a thought experiment, nothing more. On the other hand, if the signal to your television suddenly goes blank and no one knows what happened to the satellite (but no doubt there would be some finger pointing at the international level), an alien ship might have just come–and gone–inadvertently ruining your football Sunday dinner party. Unless, of course, they’re here to harvest us, in which case we’re the dinner.

No comments.
***

A Lesson from Twitter

Today, I got a curious e-mail from Twitter:

Hi, zancarius

Twitter believes that your account may have been compromised by a website or service not associated with Twitter. We’ve reset your password to prevent others from accessing your account.

You’ll need to create a new password for your Twitter account. You can select a new password at this link: [redacted]

As always, you can also request a new password from our password-resend page: https://twitter.com/account/resend_password

Please don’t reuse your old password and be sure to choose a strong password (such as one with a combination of letters, numbers, and symbols).

In general, be sure to:

Always check that your browser’s address bar is on a https://twitter.com website before entering your password. Phishing sites often look just like Twitter, so check the URL before entering your login information!
Avoid using websites or services that promise to get you lots of followers. These sites have been known to send spam updates and damage user accounts.
Review your approved connections on your Applications page at https://twitter.com/settings/applications. If you see any applications that you don’t recognize, click the Revoke Access button.

For more information, visit our help page for hacked or compromised accounts.

(Before you ask, yes this did come from Twitter.)

It turns out that my Twitter account had been compromised. I hadn’t posted anything since 2011, and I seriously doubt I logged into Twitter any time recently on my browser (though I probably have it active on a mobile device–I just never check it). This was puzzling to me, as I thought I had used a random password on the account as per my usual habit.

Except that I hadn’t. Instead, I had used a simple throw away that could’ve been relatively easy to brute force given sufficient time. This was entirely my fault, and while there’s no excuse for it, I admit that I hadn’t ever thought enough of using Twitter to protect the account. Furthermore, the account was created circa 2009 when I used to use fairly simple passwords for throwaways and strong passwords for accounts I wanted to protect (my personal e-mail accounts use > 40-70 character pass-phrases, for example). So, this was entirely my mistake, and while it’s plausible that I may have given access to a 3rd party to tweet on my behalf, I suspect this isn’t the case; there were no apps listed in the authorized application list, and the Twitter e-mail strongly hints that they will remain there until manually removed.

So, lesson learned I suppose.

However, this did present a unique opportunity to learn from one of the top social networking sites in the world. Rather than closing accounts or granting spammers free reign, Twitter resets the account password and sends a polite notice to the e-mail address registered for the account indicating what the problem is and how to rectify it. It’s a brilliant idea, I think, and I’d love if more sites followed suite. After all, spammers are using similar tactics elsewhere (including Youtube) to exploit accounts that might otherwise hold good standing with the community to continue their nefarious activities. Plus, is it really fair to terminate someone’s account that’s been compromised, just because it was used to spam? I don’t think so–not anymore.

The other lesson in all of this is to use strong passwords even for accounts you don’t think you’ll use again. It can affect your reputation, it can cause embarrassment, and it feels unnaturally violating to see spammy comments from an account with your picture on it. While my account was only used for two spam tweets before Twitter shut it down, the sensation of such violation wrought deep into my core.

For a couple of years, I’ve been using the excellent KeePass password storage application (more specifically, the KeePassX v2 port) to generate and store random passwords. The tactic of generating random passwords is increasingly more and more viable as forum software (like vBulletin) exhibits such strong weaknesses that MD5-hashed passwords are no longer strong enough to protect against attackers with even modest resources. By using randomly generated passwords, even if one is compromised, you don’t have to worry about an attacker gaining access to other accounts–or to the mental algorithm you use to generate passwords you can remember.

That said, for my most important accounts, I do use fairly lengthy pass-phrases. By mixing KeePass with pass-phrases, I can save my mental energies for remembering those passwords that are the most important, and offload the remainder of the work to the computer. So far, it’s worked fairly well. Twitter being the only account I’ve had compromised due to forgetting to change the password to something random and having used an older throw-away password, being somewhat “cutesy” (or so I thought) in the process, serves as a good testament to this. It doesn’t mean I won’t have another account compromised, but it does dramatically reduce the probability. The fact that an account I seldom used was compromised helped push me into action to reset some of my more important passwords and to verify the ones that I have collected to ensure they meet my criteria of strong and random.

So, even if you have an account you never think you’ll use again, be absolutely certain you use a strong (preferably random) password or pass-phrase. After all of this nonsense, I think I might have to go back to using my Twitter account. At least I didn’t lose it; all I lost was some face (but I have hardly any followers whom I don’t personally know in real life… so does it really matter?).

The other moral in all of this is that such compromises can hit anyone. Even you.

No comments.
***