Passwords must die.

At least, that was a theme of the Gartner Identity and Access Management Conference I recently attended. And you don’t have to be a security expert to see that our traditional system of “think of something you can easily remember” passwords is broken. Between guessing them, brute force attacks, keyloggers, socially engineered cons, and just breaking in and outright stealing them from a database as in a recent attack on Yahoo, users are in a difficult situation

For one thing, too many of us aren’t using strong passwords to begin with. This year’s breach of millions of Yahoo! Voice user passwords demonstrated our unwillingness to remember long, challenging combinations of numbers, letters and symbols –“password” was the most common password among those stolen. Another problem is that our passwords are only as effective as the security of the organization storing them. It does us no good to have the longest, most cryptic password possible if someone simply breaks in and steals it from our email provider. 2012 was littered with data breaches disclosures of stolen passwords and password hashes from major sites, including LinkedIn, Zappos, eHarmony and Last.fm to name a few.

There have been many blog postings lately on the value of salting passwords to prevent attackers from discovering the actual password values.  Salting is very effective tool when implemented properly to protect passwords, but the problems are bigger than salting the passwords.  Attackers are able to access the systems where the passwords are stored and once they own the system then they can pretty much do whatever they want to.  Most will take the entire credential database and try to break the encryption/hashing schemes.  In addition to that, a lot of credential stores also include various bits of information about the users that own the passwords.  Encrypting/hashing/salting passwords is not enough and corporations need to go the next step of not only treating these as highly sensitive crown jewels of the company, but putting the controls on these systems to prevent/thwart the attackers/attacks in the first place.

With the end of 2011 upon us, one thing is sure: the mobile revolution is in full swing. Smartphones and tablets are everywhere.

In fact, according to the analyst firm Gartner, sales of smartphones will exceed 461 million this year – surpassing PC shipments in the process – and rise to 645 million in 2012. Combined sales of smartphones and tablets will be 44 percent greater than the PC market by the end of the year. Beyond 2011, Gartner says the rise in tablet use will jump to 900 million by 2016.

These devices are not just becoming mainstream, they are penetrating nearly every aspect of our lives. More importantly, for many the line between personal and business devices has been blurred, or erased altogether. More often than not, a single device is used for both personal and business activities, with Gartner also predicting that 80 percent of professionals will use at least two personal devices to access corporate systems and data by 2014.

Imagine for a moment that someone stole the key for your bicycle lock. But since it’s locked safely in your garage anyway, it’s no big deal, right?

Now imagine that, for convenience, you had previously rekeyed every other lock you have so you could use that bike lock key in all of them. Your front door, your car, your mailbox and your safe deposit box at the bank are only secure if you keep that one key safe. Now how would you feel if you lost it?

Of course, nobody would be so careless as to make one key fit every lock, right? Well, take a moment to consider how many dozens of online accounts you have. How many of them use the same password? Think about what would happen if just one of those sites was hacked, and someone got a hold of your login information.

The Internet has grown to be one of the most important information and business conduits the world has ever seen.  While it’s brought us amazing, new capabilities over the past 15 years or so, the Internet comes with its downside.  Much like the days when America was stretching itself from the east to the west, the “wild west” was a ripe playground for “bad” people. The same goes for the Internet.

It is a double-edged sword. We have amazing capabilities, but also a perfect landscape for lawlessness.  Hackers and cybercriminals have taken note. Today, they leverage the Internet to target specific individuals or groups of individuals at specific companies, get them to react to an email message thereby directing them to an attacker’s site and silently download malware to begin the process of gaining access and stealing data or IP.  What’s more, they’re automating their attacks. Sophisticated attackers are leveraging the power of scripting tools and computing power to call together vast amounts of computers to aide in perpetrating automated attacks.

It seems that no matter where you are, you’re paying more for data breach these days. The Ponemon Institute, together with Symantec, released results of the second annual 2010 Global Cost of a Data Breach report today. The average cost of a data breach has now reached $4 million, up 18 percent from 2009, and the average cost per compromised record jumped 10 percent to $156. Costs still vary between regions. The United States had the highest cost per compromised record at $214, followed by Germany at $191, France at $136, Australia at $123 and the United Kingdom at $114 (a whopping $100 less than the United States).

But enough with the numbers, the interesting stuff is what’s behind the rising global cost of a data breach. It’s certainly true that companies face intense pressure to improve data security. In 2010, there was no shortage of high-profile data breach incidents making headlines in the global media. High-profile data breaches really aren’t anything new—though their probably getting more attention than in years past. What has continued to evolve is regulation.