Serg Nvns - Fotolia

Risk & Repeat: Who's to blame for bad passwords?

Listen to this podcast

This week's Risk & Repeat podcast discusses whether users are responsible for creating and reusing weak passwords or if the technology systems themselves are to blame.

When bad passwords lead to a breach, how much of the responsibility falls on the user versus the underlying technology?

That was the question at the heart of a recent discussion between two members of the infosec community. Troy Hunt, security expert and owner of the Have I Been Pwned service, asked via Twitter if a user is responsible for a credential stuffing attack if they create and reuse a weak password across multiple services. Wendy Nather, director of advisory CISOs at Duo Security and a longtime infosec veteran, responded by saying the infosec community should stop blaming users for bad passwords and instead focus on bad technical design.

In a follow-up blog post, Hunt argued that victims should take some of the blame when hacks are a result of poor password practices. Nather, however, disagreed.

"As technology designers, we gave users a crappy design and are now shaming them for the results instead of fixing it," she wrote on Twitter.

While everyone seems to agree that bad passwords are a major security problem, the debate over who's largely responsible for the problem, as well as how to fix it, continues. In this episode of the Risk & Repeat podcast, SearchSecurity editor Rob Wright and senior reporter Michael Heller take a closer look at Hunt and Nather's opposing positions and offer their own thoughts on the debate.

Enterprise Desktop
Cloud Computing