Last month's news of the devastating breach at Yahoo (NASDAQ: YHOO) stunned even the most seasoned security experts, given its impact on more than 500 million individuals.
Somewhat lost in the news of this attack and others including the U.S. Office of Personnel Management, Anthem, and the Democratic National Committee is that the impact of each of these breaches cannot be viewed in isolation. Rather, each is one node in a much bigger effort.
A closer examination of major breaches reveals a common theme: In every "major headline" breach, the attack vector has been the common password. The reason is simple: The password is by far the weakest link in cybersecurity today.
Indeed, passwords themselves are often the most valuable treasure for attackers, given how many people reuse passwords between accounts. An article last month in Ars Technica drove this point home, detailing how the recent breach of a White House contractor was facilitated by him reusing the same password on his Gmail account that was revealed in the Adobe breach of 2013.
Against this backdrop, it's become increasingly apparent that the guidance we give people to change their password after every breach isn't doing anything to actually thwart attackers.
Instead, we need to acknowledge the failure of passwords and make it a national priority to come up with something better – leveraging the next generation of authentication technologies to authenticate identities in a way that is both stronger than passwords and also easier for people to use.
It's important that any alternative simplifies authentication. Companies and agencies don't expect their employees to configure firewalls or actively manage encryption on their laptops; security controls have become increasingly automated over the last few years. But amidst these improvements, there's one item that continues to get pushed down to customers and end-users: The burden of creating and managing dozens of different passwords to access all of their accounts.
Study after study has shown that this is not a particular enjoyable activity for most Americans, nor is it one that they are particularly good at. Passwords such as "123456" and "Password1" are commonly used across sites; one study showed that most Americans would rather perform unpleasant household chores than deal with the burden of creating and then remembering a complex password. And even when so-called "strong" passwords are required, they are still vulnerable to phishing attacks, key-loggers and other compromises.