Account management assigned to non-human elements such as devices and applications is indispensable. Recently, attackers use account information, not malicious code. Malicious code can be blocked by multiple security policies, so attackers are looking for other attack tools than malware and use the most successful user accounts. 

According to an analysis by various market research institutes, 81% of data leakage incidents were caused by weak passwords and stolen accounts, 91% of phishing attacks were aimed at user accounts, and 80% of security incidents were from accounts with administrative authority.

Account information can be purchased cheaply in the underground market, and account information previously stolen can be used as is, or a similar combination of letters and numbers can be created and used. CRITICAL STUFFING, which creates a normal user account while inserting into a web service using an automated bot, is also easy to use. Account information can also be found through unmanaged clouds, neglected servers, public emails, and information left on bulletin boards or SNS due to the carelessness of users.

Systems that can log in with only ID/PW are limited, and important information is still not safe even if you think it is safe because it requires additional authentication. There are more important systems that can be accessed without additional authentication than required normally. For convenient remote management of core systems, it is often set up to access with shared ID/PW, and account information of easy combinations of letters and numbers such as admin/1234 is still used.