Nearly every user-generated password, including those considered strong by IT departments, will be vulnerable to hacking this year, a new report has warned.
The Deloitte Technology, Media and Telecommunications Predictions 2013 report says better security policies are needed, with more than 90 percent of user-generated passwords at risk of being compromised in 2013.
Inadequately protected passwords could cause billions of dollars in company and personal losses, declining confidence in internet transactions and significant damage to the reputations of the attacked businesses.
“Current rules regarding password expiration, minimum length, use of the full symbol set, and password resets are vulnerable and need to be strengthened,” the report says.
Passwords with at least eight characters and including mixed-case letters, at least one number and one non-alphanumeric symbol have long been considered relatively strong and safe enough to be used for high-value transactions such as banking, but Deloitte, an international consulting firm, says human behaviour and advances in technology have rendered the ‘strong’ password vulnerable.
Despite such passwords making 6.1 quadrillion possible combinations, users generally use on a fraction of these, creating a global pool of common passwords.
“For example, users often create passwords that reference words and names in our language and experience,” the report says.
“Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers or putting them in ascending order.
“Although a keyboard has 32 different symbols, humans generally only use half-a-dozen of these in passwords because they have trouble distinguishing between many of them.
“These tricks and tendencies combine to make passwords less random, and therefore weaker.”
But re-use of passwords is an even bigger concern. According to a 2012 survey, the average user has 26 password-protected accounts but only five different passwords.
Advances in technology also have made it easier and faster for hackers to obtain passwords, with a dedicated graphics processing unit able to crack any eight-character password in 5.5 hours.
Crowd-hackers also distribute the task over thousands of slower machines, with each focusing on a different part of the puzzle, to reveal the password even faster.
“As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication,” the report says.
Mobile passwords are less secure than those used on a PC because users generally do not use the full spectrum of characters available.
The average user takes 4-5 seconds to type a strong ten-character password on a PC keyboard, while it takes 7-10 seconds on a smartphone with a keyboard and 7-30 seconds on touchscreen devices, the report says.
A quarter of people surveyed in 2012 admitted to using less-secure passwords on mobile devices to save time.
“On a smartphone with a small physical keyboard, accessing all possible characters takes a bit longer; on a touchscreen-only device, a user may have to page through multiple screens just to find the “#” symbol.”