By: Michael Sutton

Prediction 8: Password Reuse Attacks Decline

And now for some good news. Password reuse attacks will begin to decline. Attackers are quite happy to compromise virtually any site even if it’s not the endgame as they can generally recover information and resources that will aid in other attacks. It’s always of great benefit for an attacker when they’re able to uncover a database of unencrypted usernames and passwords, because human nature suggests that those same credentials are used at many, many other sites. Most people use a handful of passwords at best, therefore attackers will write scripts to attempt automated logins at popular social networking, banking, etc. sites to see if the credentials can be reused.

This presents a real challenge for end users as they have no control over how their credentials are stored or secured once they’re turned over and in the event of a compromise, changing passwords to every site where those same credentials were used is generally an impossibility. Think of your favorite password that you’ve used over the years. How many sites have you used it on? You lost count, didn’t you. Fortunately, this is starting to change thanks in large part to the smartphone. Smartphones can be many things but they make for a handy secure, always with you, data repository. As such, people are starting to adopt password managers such as 1Password, LastPass, etc., as they have user friendly smartphone apps that present a convenient option for always having sensitive data such as passwords within easy reach. Advancements in biometrics are also helping the cause with consumer grade fingerprint scanners now becoming a standard feature on modern smartphones. This not only makes accessing that password repository quicker and more user friendly, but also finally makes it an option to do away with passwords altogether. While not as user friendly, most major Internet layers are also adding two-factor authentication as a standard option. Finally, the average user has realistic authentication options that don’t involve sticky notes.

Contributed by:

Michael Sutton

CISO, Zscaler

 

Learn more about Zscaler.