In a perfect world, we’d all have strong and different passwords for every site we visit. We know it’s the right thing to do. But then again, we also know that getting regular exercise is the right thing to do. And maybe, just maybe, we don’t always get around to doing the “right” things.
Today, there are just so many sites out there and coming up with umpteen different passwords isn’t always easy for people. Password reuse is rampant, even among people who should know better and creates a vulnerability that can be exploited.
The single point of failure it creates can lead to a data breach from one company causing a major ripple of compromises across many other sites. Hackers will use brute force attacks to test stolen usernames and passwords from one source to gain access to another say, bank accounts, Facebook pages, Gmail, you name it. Most recently, the major loss of usernames and passwords from Adobe caused Facebook and Evernote to prompt users to reset passwords to avoid these attacks.
So what should companies downstream from a compromise do to protect users against this fallout? The one approach making headlines is to force all potentially impacted users to reset passwords, which, while effective, is burdensome for users. There are several other steps companies can take on the server side to identify and disrupt these attacks.
Read full article at SecurityWeek.