• Home
  • Latest
  • Fortune 500
  • Finance
  • Tech
  • Leadership
  • Lifestyle
  • Rankings
  • Multimedia

Trendingnow

1

Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it

2

Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI

3

China’s birth rate just hit its lowest point since 1949—and Trip.com cofounder James Liang thinks that’s a threat to innovation

1

Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it

2

Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI

3

China’s birth rate just hit its lowest point since 1949—and Trip.com cofounder James Liang thinks that’s a threat to innovation
CommentaryCybersecurity

What Mark Zuckerberg’s Password Hack Says About Cybersecurity

By
Brett McDowell
Brett McDowell
and
Bethany Cianciolo
Bethany Cianciolo
Down Arrow Button Icon
By
Brett McDowell
Brett McDowell
and
Bethany Cianciolo
Bethany Cianciolo
Down Arrow Button Icon
June 30, 2016, 5:44 PM ET
Blue Computer Hacker
Faceless Computer HackerPhotograph by Bill Hinton via Getty Images
Add Fortune on Google for similar content.

Brett McDowell is the executive director of the FIDO Alliance, the nonprofit industry association creating standards for stronger, simpler authentication.

Did you just get a notification from another Fortune 500 company asking you to change all of your passwords? If not, you will soon enough.

It’s almost fashionable to become the victim of a data breach these days, or at least you’d think so, given the who’s-who list of companies announcing them. Earlier this month, 32 million Twitter (TWTR) passwords went on the market. And just days before that, password stores harvested from previous security breaches at LinkedIn (LNKD), Myspace, Tumblr, and Fling were posted for sale online, leaving 642 million accounts compromised. Add these to the 1 billion-plus passwords already out there on the black market and the fact that people tend to use the same, simple passwords across the web, and it’s official: We don’t just have a password problem—we have a password crisis.

With this latest leak of passwords stolen from LinkedIn, even Mark Zuckerberg was found to be using a very simple password—“dadada”—across at least two different web applications, and chose not to enable strong authentication when it was available at these sites.

The conventional wisdom for how to stay safe online is widely cited and relatively sound: 1) use a different, complex password at each of your online accounts; 2) enable strong authentication (often called “two-factor authentication” or “two-step verification”) where it’s available, and 3) don’t be afraid of using a modern password manager if it helps you achieve No. 1.

So why is it, when we have all been told over and over again exactly how to make ourselves safer online, that even Internet industry leaders choose not to do so? The answer is simple: They don’t like the user experience.

Realistically, most of the general population is just like Zuckerberg. It is difficult and frustrating to remember a different, complex password for every single online account—early studies suggest the average web user has at least 25 accounts. So they revert to the easy-to-remember passwords: “123456” is a popular one; “password” is another.

Most users aren’t opting in to use strong authentication either, which is typically a one-time passcode (OTP) sent to a mobile device. This is because the outdated definition of strong authentication is predicated on the idea of adding an extra step to the process. This just slows users down and creates what e-commerce refers to as “friction” in the user experience.

In short, users don’t love the experience of following today’s recommendations for strong authentication, and that is why we have not—and will not—see widespread adoption of strong authentication unless companies address the user experience in a fundamentally better way.

The security needs to be improved, too. Both the password and OTP systems of authentication are inherently vulnerable to many forms of inexpensive, scalable attack because their very nature requires both the user and the web service to know the password or passcode (also called a “shared secret”).

In the case of passwords, this shared information is put into long-term storage on servers where it remains vulnerable to a data breach even years after the user forgot he or she even had an account there. In the case of OTP systems, where the passcode expires quickly, users are still vulnerable to social engineering attacks where the user is tricked into giving away his or her OTP before it expires, hence the troubling statistic that 63% of all data breaches involve the use of stolen, weak, or default passwords.

To really solve the password crisis, online service providers need to do two things now: improve the user experience of strong authentication by making it easier to use, and design the technology so the authentication “secrets” are never shared or stored on servers.

 

To solve the usability problem, many organizations are looking at options like biometrics, wearables, and security tokens as solutions that are even easier than typing “dadada.” Biometrics, in particular, are becoming a trend to improve the authentication user experience, especially with many banks rolling out biometric authentication. The trend is due, at least in part, to the fact that an increasingly large majority of mobile devices are shipped with biometric capabilities like fingerprint scanners and facial recognition built right in. Applications that take advantage of these new capabilities are able to offer users something truly novel: a strong authentication experience they actually want to use.

To address the security problem, manufacturers are increasingly shipping devices with new authentication technology that enables secure, on-device storage of sensitive user data such as biometric templates and application credentials. With user credentials stored on the user’s device and not on servers, the threat of re-used credentials harvested from someone else’s data breach goes away. In order to attack and gain access, the cybercriminal must attack the user’s personal device. In most cases, an attacker would have to gain physical possession of a user’s device to even attempt an exploit. These types of attacks are not scalable or profitable for cybercriminals.

If the whole web ecosystem stops storing user credentials and biometric data on servers and moves to an on-device model for strong authentication, it will dramatically change the game for cybercriminals by eliminating their ability to perform scalable attacks on account credentials as a means of perpetrating fraud.

About the Authors
By Brett McDowell
See full bioRight Arrow Button Icon
By Bethany Cianciolo
See full bioRight Arrow Button Icon
Add Fortune on Google for similar content.

Latest in Commentary

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025

Most Popular

Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Finance
Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam
By Fortune Editors
October 20, 2025
Fortune Secondary Logo
Rankings
  • 100 Best Companies
  • Fortune 500
  • Global 500
  • Fortune 500 Europe
  • Most Powerful Women
  • World's Most Admired Companies
  • See All Rankings
  • Lists Calendar
Sections
  • Finance
  • Fortune Crypto
  • Features
  • Leadership
  • Health
  • Commentary
  • Success
  • Retail
  • Mpw
  • Tech
  • Lifestyle
  • CEO Initiative
  • Asia
  • Politics
  • Conferences
  • Europe
  • Newsletters
  • Personal Finance
  • Environment
  • Magazine
  • Education
Customer Support
  • Frequently Asked Questions
  • Customer Service Portal
  • Privacy Policy
  • Terms Of Use
  • Single Issues For Purchase
  • International Print
Commercial Services
  • Advertising
  • Fortune Brand Studio
  • Fortune Analytics
  • Fortune Conferences
  • Business Development
  • Group Subscriptions
About Us
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • About Us
  • Press Center
  • Work At Fortune
  • Terms And Conditions
  • Site Map
  • Facebook icon
  • Twitter icon
  • LinkedIn icon
  • Instagram icon
  • Pinterest icon

Latest in Commentary

heat
Commentaryclimate change
McKinsey Global Institute: Climate planning has prioritized floods. Heat demands equal attention
By Sylvain Johansson, Mekala Krishnan, Kanmani Chockalingam and Annabel FarrJuly 7, 2026
16 hours ago
j
CommentaryEducation
AI didn’t break higher education—It exposed the credential trap
By Jason BenedictJuly 7, 2026
17 hours ago
e
CommentaryEntrepreneurship
I skipped college and founded a company at 18. Several exits later, this is what I learned
By Eric FranciaJuly 7, 2026
18 hours ago
mw
Commentaryregulation
Virtual Assets Regulatory Authority CEO: Finance’s AI future moves at the speed of its slowest regulator
By Matthew WhiteJuly 7, 2026
19 hours ago
t
CommentaryParenting
Babylist CEO: The Trump Accounts gold rush is overlooking moms
By Natalie GordonJuly 6, 2026
1 day ago
e
CommentaryCorporate Governance
SpaceX’s supervoting shares put a decades-old governance debate back in play
By Jeffrey Sonnenfeld and Steven TianJuly 6, 2026
1 day ago

Most Popular

Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
Success
Ex-PepsiCo CEO Indra Nooyi worked from midnight until 5 a.m. as a receptionist to pay for her Yale degree—and she says ‘respect went up’ because of it
By Preston ForeJuly 6, 2026
1 day ago
Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI
AI
Shark Tank's Kevin O'Leary says if he were 25 today, he'd chase these two booming opportunities in the world of AI
By Marco Quiroz-GutierrezJuly 5, 2026
3 days ago
China’s birth rate just hit its lowest point since 1949—and Trip.com cofounder James Liang thinks that’s a threat to innovation
Asia
China’s birth rate just hit its lowest point since 1949—and Trip.com cofounder James Liang thinks that’s a threat to innovation
By Nicholas GordonJuly 7, 2026
19 hours ago
Current price of oil as of July 6, 2026
Personal Finance
Current price of oil as of July 6, 2026
By Joseph HostetlerJuly 6, 2026
2 days ago
Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living
Success
Even as Elon Musk calls philanthropy ‘very hard,’ everyday Americans gave a record $617 billion—despite feeling the squeeze over the cost of living
By Preston ForeJuly 4, 2026
4 days ago
The man who ran Bernie's campaign says Democrats are still making the same mistakes with Democratic Socialists, and they should laud Mamdani's win
Politics
The man who ran Bernie's campaign says Democrats are still making the same mistakes with Democratic Socialists, and they should laud Mamdani's win
By Catherina GioinoJuly 6, 2026
1 day ago

© 2026 Fortune Media IP Limited. All Rights Reserved. Use of this site constitutes acceptance of our Terms of Use and Privacy Policy | CA Notice at Collection and Privacy Notice | Do Not Sell/Share My Personal Information
FORTUNE is a trademark of Fortune Media IP Limited, registered in the U.S. and other countries. FORTUNE may receive compensation for some links to products and services on this website. Offers may be subject to change without notice.