Lately, I’ve been spending a lot of time performing static code security assessments of web applications. That leads to working with developers and those who work around them. One thing many of them share with me is their faith in authentication infrastructure — infrastructure that generally sits “in front” of their applications and protects them from unauthorized users. Sometimes I still hear Architects talk about “security” as if it were really just authentication… In that context, the latest Verizon Data Breach Investigations Report (DBIR) reviews their 2016 dataset of over 100,000 incidents, including 2,260 confirmed data breaches across 82 countries.
The full paper is worth a read, but in the context of my comments above I wanted to highlight Verizon’s recommendations concerning passwords:
“…passwords are great, kind of like salt. Wonderful as an addition to something else, but you wouldn’t consume it on its own.”
“63% of confirmed data breaches involved weak, default or stolen passwords.”
The top 6 breaches included the following steps: “phish customer > C2 > Drop Keylogger > Export captured data > Use stolen credentials”
“If you are securing a web application, don’t base the integrity of authentication on the assumption that your customers won’t get owned with keylogging malware. They do and will.”
Verizon Data Breach Investigations Report (DBIR)