Why things have got this bad is not hard to fathom; in Kolochenko's view, it's a mix of insecure web applications and conventional Trojan scraping from end users. The way fragmented databases are connected to these insecure front ends also doesn't help, he said.
More complex weaknesses such as the one believed to have undermined Target usually result in the most spectactular and public losses.
The one spot of good news is that the suicidal passwords (i.e. '123456') are less common than some recent stories might suggest. The commonest failure was simply adding a number to a common noun, opening users to trivial dictionary hacks. Most serious of all, users also have a habit of re-using the same passwords over and over, a behaviour that multiplies the effects of a single breach across many other sites.
Earlier this month High-Tech Bridge revealed that while patching times have improved in the last year, progress is still behind improvements on the side of the attackers.
Sign up for Computerworld eNewsletters.