Surveys and research continue to reveal that people reuse the same credentials across multiple services, from social media to banking to e-commerce.
Often, users do this to bypass password hassles, familiar friction that's compounded by now-recanted guidance to make password use even more onerous, all in the name of security.
The success rate of credential-reuse attacks, which often goes by "credential stuffing," is about 2%, a number that may seem trivial.
However, with 3 billion credentials stolen since 2016, now out in the wild and obtainable for these attacks, in the context of user habits this means tens of millions of credentials create a credible threat against all online services and their users.
Simply put, all service providers — even those with a strong security posture — are only as secure as the Home Depots, LinkedIns and Equifaxes of the world. Collateral damage is as genuine a concern as direct damage, and will be until solutions that address — and retire for good — the credential-reuse-attack model.
The key first step in staying ahead of cybercriminals is to acknowledge that the problems of the breached enterprises are those of the lucky ones not yet breached.
Next, take a close look at what the common theme tying together these large incidents: the existence of a centralized credential store. It serves as the target, the way in and the route to more attacks. Surely we can do better, as proponents of password elimination, decentralization and on-device authentication contend.