Spotify Wasn’t Hacked, But Is Password Reset Really The Solution?

Fix-Spotify-Problems.jpgLast week, Spotify announced that it was forcing users to reset their passwords. This wasn’t because of a data breach or hack like other companies have been facing. Rather, it was a proactive response to these external events.

While security professionals push to evolve the password and test the validity of biometrics in authentication, hackers continue to exploit existing vulnerabilities. An emerging trend in recent breaches is data that was stolen years prior to the breach’s discovery, which highlights how challenged businesses are with monitoring information security.

Sadly, it has become evident that warnings to avoid password duplication aren’t impacting individual end user behavior. Years of increasing password overload has reduced password security awareness campaigns to white noise and breaches have become so frequent, they no longer inspire the kind of uptick in responsible security habits they used to. Despite studies showing that online users are concerned by breaches in the news, those same survey respondents admit to risky practices like password duplication and failing to enable security on mobile devices.

In the heightened threat landscape and without the ability to engage the least security-minded individual on your team in conversations around responsible account practices, IT departments have to engage other methodologies and layer security practices.

Organizations need to be using the available access control solutions and follow industry-accepted good practices to protect themselves and their customers. Multi-factor authentication (MFA) and tokenized authentication e.g., SAML are essential tools that should be included in your overall strategy. Mandating MFA means that a stolen credential set wouldn’t be enough to expose an online account to a hacker. Together as part of a broader security program that  layers security, adopting both goes a long way in helping prevent security incidents caused by compromised credentials .

A holistic approach is the only way to sensibly manage risk with the lowest common denominator, whether that be the password itself or an inattentive user, in mind.

So, while Spotify is proactively attempting to protect itself and its customers from the fate of some of its peers, password reset is not the solution to secure online account management. Resetting passwords is, in fact, reactive and, frankly, comes once an account has already been compromised. We need to do more.