Rietta.com Security logo
You are reading The Rietta Blog, a publication about the web since 2005.

Bad Password Practices Are Responsible for Most Data Breaches. You Can Do Better.

The 2016 Verizon DBIR report is out and is available for download. Among the findings is the prevalence of data breaches that are attributable to stolen authorization credentials.

According to the report “63% of confirmed data breaches involved weak, default or stolen passwords” (page 20). This is an increase from 2015, when the stat was that 51% of web application breaches were attributable to stolen credentials. If anything is clear, it’s that the lowly credential theft is a clear and present danger in information security. It is responsible for more incidents than all the other exotic, technically interesting attacks combined.

Many of these credentials are stolen through phishing attacks, breaches of other databases where a user made use of the same email address and password that he or she uses for the breached system, and through other means of guessing/trying passwords.

If you are implementing a user authentication system, please:

  1. use slow hashes designed specifically for passwords – see my February blog post Use Bcrypt Instead of SHA* for Your Passwords, Please,
  2. have your system detect multiple incorrect password attempts and lock out such accounts,
  3. and implement two factor authentication for every system that is going to be used by staff who have access to other people’s sensitive data.

Ultimately, the tech community needs to have better authentication mechanisms to remove the need for users to remember usernames and passwords, especially for business systems. But in the mean time, you need to make sure that your system is doing what it can to not be negligent.

Invitation to the Web Application Topics Newsletter

This is an archived issue of the Web Application Topics Newsletter. If you are interested in having future issues sent directly to your e-mail, please sign up for free, today. For back issues, see the Web Application Topics category on this blog.

About Frank Rietta

Frank Rietta's photo

Frank Rietta is a web application security architect, author, and speaker. He is a computer scientist with a Masters in Information Security from the College of Computing at the Georgia Institute of Technology. He speaks about security topics and was a contributor to the security chapter of the 7th edition of the "Fundamentals of Database Systems" textbook published by Addison-Wesley.

If there is a topic you would like us to cover,