This post is the third in a series of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The first post in this series is  here . The second post is  here . The fourth post is  here . If passwords aren’t strong enough to identify a user as really that user, what are we to do? One idea is to check who the user is, in more than one way. This is called Multi-Factor Authentication, and it’s becoming pretty widespread. “Authentication” is what security professionals call the process of verifying that a user is who they say they are,...

This post is the second in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The first post in this series is  here . The third post is  here . The fourth post is  here . When the idea of computer passwords started, it seemed pretty simple: a secret word that you know, but no-one else does, could identify you as who you are. But people also use computers for spell-checking, which involves creating dictionaries of all the known words. It doesn’t take long to realize that plugging each word of the dictionary into th...

This post is the first in a series  of four about the current role of passwords in cybersecurity. Specifically we will explore and explain how the changing threat environment moves the password from primary identity confirmation to a more supporting role. While our focus here at Pythia Cyber is helping companies make the best choices in their cybersecurity, this series touches on the user experience as we are all users and that shared experience is helpful in describing how cybersecurity should be deployed inside your organization. The second post in this series is  here . The third post is  here . The fourth post is  here . Recent news articles, like this one , have described a database of 16 billion (with a “B”!) passwords stolen from major online companies like Apple, Google, and Meta (Facebook). This sounds like a major hack, and the end of passwords for security. On closer analysis, the news is both better and worse than that. Let’s look at why, and what we shou...

In May we covered the litany of the hacked , a group of entities that had been successfully hacked (such as my dentist).  The point was to note that this sort of thing happens and it has consequences. Pretending that you can whistle past the graveyard in cyberspace is foolish and delusional. Then came the early June extension of the litany. Newly enrolled members in the US and UK included brand-forward retailers. Retailing has features that make it more susceptible to hacking, true enough. And now: the litany of the hacked, June 2025 wrap-up edition. The litany now includes: Columbia University...United Natural Foods...Aflac...Erie Indemnity...Philadelphia Insurance...International Criminal Court...The Washington Post...Hawaiian Air...WestJet...various financial institutions inside the Islamic Republic of Iran... OK the last one is an anomalous situation but the other organizations were brought to heel to various extents just inside one month. Question: do you think they had annua...

This recent report  on how criminals used people's stolen identities to defraud the US healthcare system of $10.6 billion deserves your attention. Here is a key part related to cybersecurity ( emphasis added ): "Those involved in the fraud bought dozens of companies that were accredited to submit claims to Medicare and the program’s supplemental insurers, prosecutors say. Then, using personal information stolen from more than a million Americans , the defendants filed billions of dollars in claims for equipment that had not been ordered by people enrolled in Medicare and was not delivered to them, according to the indictment." For context, the story mentions that a previous gang in 2019 defrauded the US healthcare system of $1 billion, which was considered a lot at the time. And if you need more context, a completely unverified and unaudited "cost savings" identified in the US by the DOGE process in 2025 was $180 billion. (Full disclosure: my AI engine claims th...