When nearly 1.5 million user login credentials were stolen from Gawker Media group and published online, the breach harmed security not only for Gawker but also for a number of other, unrelated websites. Knowing that most people use the same username and password on multiple websites, spammers immediately started using the Gawker login credentials to try accessing accounts on other websites. The result triggered a massive domino effect across the Web - hundreds of thousands of accounts on Twitter were hijacked and used to spread spam, and many large sites including Amazon.com and LinkedIn prompted users to change their login credentials to avoid fraud.
The domino effect is caused not only by poor password practices on the part of users but also by the weak authentication requirements on websites, which can actually encourage users' bad behavior. The only way to stop the domino effect on website security is for businesses to stop relying solely on passwords for online authentication.
Finding a balance between competing forces.
To achieve strong authentication on the Web, IT professionals must find a balance among three separate forces whose goals are often at odds: the cost and security needs of the company, the impact on user behavior, and the motivations of the would-be attacker.
The goal of the business is to make website security as rigorous as possible while minimizing the cost and effort spent implementing security controls. To do this, it must take into account the behavior and motivations of both its users and the attackers.
In most cases, the attacker also conducts a cost vs. benefit analysis when it comes to stealing login credentials. The attacker's goal is to maximize profits while minimizing the cost and effort spent achieving the payoff. The more the attacker can do to automate the attack, the better the cost vs. payoff becomes. That is why keylogging malware and botnets are still the most pervasive threats, while more sophisticated man-in-the-middle attacks remain rare.
The user also instinctively performs their own evaluation of costs vs. benefits and behaves in a rational way as a result. Although it's easy to blame the users for choosing weak passwords or using the same password on multiple websites, the reality is that creating a unique, strong password for every website is not a rational choice. The cognitive burden of remembering so many complex passwords is too high a cost - especially if the user believes the odds of their credentials being stolen are small or that the business that owns the website will absorb any losses resulting from fraud(i). Thus, the security advice about choosing strong passwords and never re-using them is rejected as a poor cost/benefit tradeoff. No wonder users continue to have bad password practices.
The motives of the business, the user and the attacker are often competing but they are all intertwined and IT security professionals should not think of them as separate islands of behavior. We must consider them all when developing an effective security strategy. The goal is to achieve the optimal balance, having optimized the cost/benefit tradeoff for the business, made the security requirements easy enough for users to adhere to, and made it just difficult enough for the would-be attacker that it is not worth their effort.