It’s hard to find a major cyberattack over the last five years where identity — generally a compromised password — did not provide the vector of attack.

Target, Sony Pictures, the Democratic National Committee (DNC) and the U.S. Office of Personnel Management (OPM) each were breached because they relied on passwords alone for authentication. We are in an era where there is no such thing as a “secure” password; even the most complex password is still a “shared secret” that the application and the user both need to know, and store on servers, for authentication. This makes passwords inherently vulnerable to a myriad of attack methods, including phishing, brute force attacks and malware.

The increasing use of phishing by cybercriminals to trick users into divulging their password credentials is the most alarming — a recent report from the Anti-Phishing Working Group (APWG) found that 2016 was the worst year in history for phishing scams, with the number of attacks increasing 65% over 2015. Phishing was behind the DNC hack, as well as a breach of government email accounts in Norway, and was the method that state-sponsored hackers recently used in an attempt to steal the passwords of prominent U.S. journalists. Phishing is on the rise for a simple reason: it is a relatively cheap and effective form of attack, and one that puts the security onus on the end-user. And, given that many users tend to reuse passwords, once these passwords are compromised, they can be used to break into other systems and bypass traditional network security measures.

Click here to read the full article on Harvard Business Review.