And the website Malicious Link, in a recent post, argued that enterprises need to understand the psychology of employees and to provide incentives for them not to be tempted to sell their credentials.
If security professionals become, "familiar with the emerging studies under the banner of cognitive psychology/behavioral economics," they will be able to understand "irrationalities" in human judgment, and, "design better incentive systems and security control schemes," the post said.
The good news, according to Sudhakar, is that even if people willingly sell or compromise their credentials, technology has gotten better at spotting the inevitable breach that follows.
"Innovations in data science and machine learning are improving early breach detection from compromised credentials or insiders gone bad," he said.
That, combined with better training and an awareness of disgruntled employees, may be the best defense. As Frenz notes, passwords do have a major advantage over other, more secure, forms of authentication like biometrics.
"They are very easy to change once compromised," he said.
Sign up for CIO Asia eNewsletters.