The 2016 Verizon DBIR report is out and is available for download. Among the findings is the prevalence of data breaches that are attributable to stolen authorization credentials.
According to the report “63% of confirmed data breaches involved weak, default or stolen passwords” (page 20). This is an increase from 2015, when the stat was that 51% of web application breaches were attributable to stolen credentials. If anything is clear, it’s that the lowly credential theft is a clear and present danger in information security. It is responsible for more incidents than all the other exotic, technically interesting attacks combined.
Many of these credentials are stolen through phishing attacks, breaches of other databases where a user made use of the same email address and password that he or she uses for the breached system, and through other means of guessing/trying passwords.
If you are implementing a user authentication system, please:
- use slow hashes designed specifically for passwords – see my February blog post Use Bcrypt Instead of SHA* for Your Passwords, Please,
- have your system detect multiple incorrect password attempts and lock out such accounts,
- and implement two factor authentication for every system that is going to be used by staff who have access to other people’s sensitive data.
Ultimately, the tech community needs to have better authentication mechanisms to remove the need for users to remember usernames and passwords, especially for business systems. But in the mean time, you need to make sure that your system is doing what it can to not be negligent.
Invitation to the Web Application Topics Newsletter
This is an archived issue of the Web Application Topics Newsletter. If you are interested in having future issues sent directly to your e-mail, please sign up for free, today. For back issues, see the Web Application Topics category on this blog.