Enterprises determine their pace of innovation, and this carries over into security. Information chiefs generally adhere to the username/password protocol, keeping passwords as the number one means for consumer and employee authentication. Passwords are not perfect, but they’ve been an effective method of authenticating users for decades. In theory, passwords should be more than enough. Password systems are familiar to both enterprises and users. It’s no surprise that there’s an appetite for their continued use until their drawbacks in mobile and IoT become too obvious.
When there’s a major security incident, however, it’s passwords that are conveniently around, with a fanciful alibi of being used against their will. This is misleading since the true culprit in mass data breaches is the centralization of credentials used for authentication, passwords included almost incidentally.
It’s not the credential type, it’s where credentials are stored
The flurry of mass data breaches traced to passwords is now a blizzard, with memorable nor’easters like Equifax and now MyFitnessPal. Verizon reports that more than 80% of mass data breaches are based on credentials. This makes it easy to blame passwords and creates an urgency to secure them in a better way. As we’ve seen, protecting current password implementations doesn’t slow the pace of these incidents.
The common theme tying together the biggest security incidents involving passwords and other credentials: where passwords are stored.
This includes those affecting Anthem, Equifax, Home Depot, LinkedIn, the US Office of Personnel Management, Yahoo!, and others. Enterprises hold all users’ credentials in a central repository, so when hackers breach the system, it’s a total loss.
The allure of a data library available for sale and reuse creates a target that appeals to hackers’ wholesale