Just to chime in, we see that local hardware-based protections based on encryption are important to help support that password protection. Work that together with multifactor authentication, perhaps using something you have, something you own.
I think an interesting counterpoint to this and an interesting add-on is the ability to make very robust decisions about individuals, about their use of a particular system. We use anonymized, pseudonymized data to help organizations recognize that “Hey, John's logging in from here in Ottawa, and there seems to be a log-in coming from Vancouver. He can't travel that fast.” Let's alert somebody to do that on an organizational perspective to intervene and say, “Look, we should perhaps ask John to refresh his password.”
There's another thing that we're able to do, based upon the global scope of our view into the cyber-threat environment. Often malicious users share dictionaries of user names and passwords. We come across those dictionaries, and we are able to inform our toolsets so that if organizations—say, food.com—find out that one of their names is on there, they are able to go back there as well.
For data associated with the use of a particular toolset, anonymization and pseudonymization help to provide greater assurance for privacy and security as well. Let's make sure we recognize that there's a balance we can strike to make sure that we maintain privacy while at the same time helping safeguard those users.