I think password leaks are the cause of 99% of hacking. Thus the solution needs to better password schemes.
Here are three possibilities:
1. Require two or more different passwords to be entered by two or more different designated people.
2. Have a delay of some amount of time before the password is accepted, and notify designated individuals during the delay period that entry has been requested and by whom.
3. Allow password entry only at certain times. I think bank vaults aren’t openable except at a certain time each day.
I work in IT and I have to manage at least 40 passwords each on a different change schedule . So many passwords that I have to manage the in a password protected spreadsheet.
I would say that at least 20% of my day is putting in a damned system password. I would get no work done if I had to wait for a second person to sign in for everything I did.
hacked their way into the social app website’s servers and got their hands on more than 32 million user passwords stored in plain text
Correct best-practice is not to store the password at all, but to store a "salted hash" of the password. That's why a correctly designed site will let you update your password, but can't tell you what your current password is -- they don't have it.
If you have to store a password -- you shouldn't, but if you did -- then it needs to be stored encrypted. Ditto for high-security data like SSNs, etc.
If there's a 99% cause of hacking, it's people running stuff they get as email attachments. For awhile, M$ Outlook even ran such stuff automatically! Talk about a security hole!
2-factor authentication... you login... they text your cell phone a temporary key that’s good for like 10 minutes... you complete the login. Practically mandatory for online banking these days.
The key is to get away from the password model and get into the token model. BUT, the token model is a giant pain in the butt.