While user education is important, and includes measures such as choosing robust passwords and not reusing them on multiple sites, the onus can't be entirely on the customer to protect his or her own data when it's been entrusted to a service.
"Basically, I think anyone that relies on passwords for security has to be kidding themselves," said Gartner security analyst Avivah Litan. She suggests biometric security measures instead. For example, behavioral biometrics applications can track how users of a website typically act, and if that activity changes dramatically, the company can be alerted and take action.
"The idea is you can maintain customer convenience and strengthen consumer security without imposing things on them," Litan said. "That's even better for security because many intelligent security folks believe we need to forget about prevention and focus on detection and containment."
Sign up for CIO Asia eNewsletters.