• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living

2

Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs

3

Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998

1

Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living

2

Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs

3

Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998
CommentaryCybersecurity

What Mark Zuckerberg’s Password Hack Says About Cybersecurity

By
Brett McDowell
Brett McDowell
and
Bethany Cianciolo
Bethany Cianciolo
Down Arrow Button Icon
By
Brett McDowell
Brett McDowell
and
Bethany Cianciolo
Bethany Cianciolo
Down Arrow Button Icon
June 30, 2016, 5:44 PM ET
Blue Computer Hacker
Faceless Computer HackerPhotograph by Bill Hinton via Getty Images
Add Fortune on Google for similar content.

Brett McDowell is the executive director of the FIDO Alliance, the nonprofit industry association creating standards for stronger, simpler authentication.

Did you just get a notification from another Fortune 500 company asking you to change all of your passwords? If not, you will soon enough.

It’s almost fashionable to become the victim of a data breach these days, or at least you’d think so, given the who’s-who list of companies announcing them. Earlier this month, 32 million Twitter (TWTR) passwords went on the market. And just days before that, password stores harvested from previous security breaches at LinkedIn (LNKD), Myspace, Tumblr, and Fling were posted for sale online, leaving 642 million accounts compromised. Add these to the 1 billion-plus passwords already out there on the black market and the fact that people tend to use the same, simple passwords across the web, and it’s official: We don’t just have a password problem—we have a password crisis.

With this latest leak of passwords stolen from LinkedIn, even Mark Zuckerberg was found to be using a very simple password—“dadada”—across at least two different web applications, and chose not to enable strong authentication when it was available at these sites.

The conventional wisdom for how to stay safe online is widely cited and relatively sound: 1) use a different, complex password at each of your online accounts; 2) enable strong authentication (often called “two-factor authentication” or “two-step verification”) where it’s available, and 3) don’t be afraid of using a modern password manager if it helps you achieve No. 1.

So why is it, when we have all been told over and over again exactly how to make ourselves safer online, that even Internet industry leaders choose not to do so? The answer is simple: They don’t like the user experience.

Realistically, most of the general population is just like Zuckerberg. It is difficult and frustrating to remember a different, complex password for every single online account—early studies suggest the average web user has at least 25 accounts. So they revert to the easy-to-remember passwords: “123456” is a popular one; “password” is another.

Most users aren’t opting in to use strong authentication either, which is typically a one-time passcode (OTP) sent to a mobile device. This is because the outdated definition of strong authentication is predicated on the idea of adding an extra step to the process. This just slows users down and creates what e-commerce refers to as “friction” in the user experience.

In short, users don’t love the experience of following today’s recommendations for strong authentication, and that is why we have not—and will not—see widespread adoption of strong authentication unless companies address the user experience in a fundamentally better way.

The security needs to be improved, too. Both the password and OTP systems of authentication are inherently vulnerable to many forms of inexpensive, scalable attack because their very nature requires both the user and the web service to know the password or passcode (also called a “shared secret”).

In the case of passwords, this shared information is put into long-term storage on servers where it remains vulnerable to a data breach even years after the user forgot he or she even had an account there. In the case of OTP systems, where the passcode expires quickly, users are still vulnerable to social engineering attacks where the user is tricked into giving away his or her OTP before it expires, hence the troubling statistic that 63% of all data breaches involve the use of stolen, weak, or default passwords.

To really solve the password crisis, online service providers need to do two things now: improve the user experience of strong authentication by making it easier to use, and design the technology so the authentication “secrets” are never shared or stored on servers.

 

To solve the usability problem, many organizations are looking at options like biometrics, wearables, and security tokens as solutions that are even easier than typing “dadada.” Biometrics, in particular, are becoming a trend to improve the authentication user experience, especially with many banks rolling out biometric authentication. The trend is due, at least in part, to the fact that an increasingly large majority of mobile devices are shipped with biometric capabilities like fingerprint scanners and facial recognition built right in. Applications that take advantage of these new capabilities are able to offer users something truly novel: a strong authentication experience they actually want to use.

To address the security problem, manufacturers are increasingly shipping devices with new authentication technology that enables secure, on-device storage of sensitive user data such as biometric templates and application credentials. With user credentials stored on the user’s device and not on servers, the threat of re-used credentials harvested from someone else’s data breach goes away. In order to attack and gain access, the cybercriminal must attack the user’s personal device. In most cases, an attacker would have to gain physical possession of a user’s device to even attempt an exploit. These types of attacks are not scalable or profitable for cybercriminals.

If the whole web ecosystem stops storing user credentials and biometric data on servers and moves to an on-device model for strong authentication, it will dramatically change the game for cybercriminals by eliminating their ability to perform scalable attacks on account credentials as a means of perpetrating fraud.

About the Authors
By Brett McDowell
See full bioRight Arrow Button Icon
By Bethany Cianciolo
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Commentary

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Commentary

k
Commentary250 Years of Innovation
Media leadership unity in defying Trump’s assault on free speech: standing tall against historic comparisons
By Jeffrey Sonnenfeld, Jeff Bewkes, Kay Koplovitz, Tom Glocer and Marvin KalbJuly 4, 2026
1 day ago
ds
CommentarySoftware
I argued with the father of open source for 2 years. Now the AI fight is the same — only bigger
By David SiegelJuly 3, 2026
2 days ago
ashok
Commentary250 Years of Innovation
The greatest startup in history: What we can learn from America’s founders at today’s AI frontier
By Ashok N. SrivastavaJuly 3, 2026
2 days ago
2
Commentary250 Years of Innovation
America’s secret weapon isn’t just innovation — It’s the freedom to fail
By Keith KrachJuly 3, 2026
2 days ago
rn
CommentaryCryptocurrency
Former Iran director at NSC: Crypto legislation is a ticket to sanctions evasion
By Richard NephewJuly 2, 2026
3 days ago
m
Commentary250 Years of Innovation
McKinsey chairs: Building a more resilient industrial base may require $2 trillion in investment
By Eric Kutcher and Shubham SinghalJuly 2, 2026
3 days ago

Most Popular

Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living
Success
Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living
By Preston ForeJuly 4, 2026
1 day ago
Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs
Law
Egg companies made $1.22 billion in profit off a $6 carton — now they’re buying their way out of a price-fixing case with 53 million donated eggs
By Wyatte Grantham-Philips and The Associated PressJuly 2, 2026
3 days ago
Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998
AI
Meet the Zillennials: The luckiest micro-generation in the workforce, born between 1993 and 1998
By Nick LichtenbergJuly 3, 2026
2 days ago
$25 billion CEO says one-hour interviews are a waste of time—he puts candidates through six hours of tests and wants them to order wine at lunch
Success
$25 billion CEO says one-hour interviews are a waste of time—he puts candidates through six hours of tests and wants them to order wine at lunch
By Orianna Rosa RoyleJuly 3, 2026
2 days ago
Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds
Economy
Economists have found an answer to slowing cognitive decline: Avoid retiring early, study finds
By Sasha RogelbergJuly 2, 2026
3 days ago
A quarter of young baby boomers and Gen Xers who’ve been laid off in the last decade are still unemployed—and 11% have taken pay cuts to work
Success
A quarter of young baby boomers and Gen Xers who’ve been laid off in the last decade are still unemployed—and 11% have taken pay cuts to work
By Emma BurleighJuly 4, 2026
23 hours ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.