More than 90% of passwords are vulnerable to hacks, warns Deloitte – even “strong” ones

Even passwords considered “strong” by IT departments are often now vulnerable to hacking,  according to professional services firm Deloitte. In Deloitte’s Technology, Media and Telecommunications Predictions 2013, the firm predicts that 90% of user generated passwords will be vulnerable to hacking this year.

Deloitte says that the weakness inherent in current password systems could result in billions of dollars of losses, and damage to the reputation of companies compromised in attacks.

“This is due to factors such as password re-use, advances in hardware and software used to crack passwords, and non-random distribution of characters,” says Deloitte in its report. “As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.”

Deloitte’s report says that advances in computer technology have made eight-character passwords easier to crack by “brute force” methods – and points to the use of “crowd hacking” as another threat.

But the main problem is users themselves, according to the report. Habits such as choosing simpler passwords for entry on mobile devices has meant that many passwords remain insecure.

“With so many threats, we might expect users to be adopting longer and stronger passwords. That has not occurred, in part because of the difficulty of entering passwords on mobile devices. On a touchscreen‑only device, a user may have to page through multiple screens just to find the “#” symbol. A quarter of the people surveyed admitted to using less‑secure passwords on mobile devices to save time.”

“Users often create passwords that reference words and names in our language and experience,” the report says. “Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers or putting them in ascending order.Although a keyboard has 32 different symbols, humans generally only use half-a-dozen of these in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker.”

Deloitte predicts that two-factor authentication will be employed by more companies in 2013, and that password vaults will become more popular.

“A number of technology and telecom companies will likely implement some form of multifactor authentication with their services, software and/or devices in 2013. There is likely to be a direct relationship between the value of the information being protected and the complexity of the authentication process: bank accounts would be more demanding than social media networks, which in turn would be more rigorous than a computer game.”

“Organisations must establish better password security policies. Current rules regarding password expiry, minimum length, use of the full symbol set, and password resets are vulnerable and need to be strengthened.”

ESET Security Evangelist Stephen Cobb offers an in-depth view of the security challenges around passwords here.

Author , We Live Security

  • Andrew Yeomans

    Sadly few people in information security are challenging this type of advice on password handling.

    What we should be doing instead is insisting on far better implementation of password management systems.

    Password complexity is needed to solve two different problems:-

    1) Repeated attempts to logon using guessed passwords. A good defence, known for decades, is to implement rate limiting or lockout. Credit cards have been using 4 digit PINs for decades without major failures due to repeated guessing attempts. Exponential backoff algorithms are a good way to seriously slow down guessing without total lockout. It also helps to test against a dictionary of the most common passwords to block the easy guesses.

    2) Off-line attacks on a compromised password (hash) database. Which should not have been stolen in the first place! Hardware Storage Modules have been around for decades, and they make it extremely difficult to extract crypto secrets. (While most HSMs are intended for PKI use, there’s no inherent reason why they can’t be used for password storage and secure comparison. A new market opportunity?)

    So the combination of these two techniques – as part of a proper security architecture design – would solve the major technology problems of password systems.

Follow us

Copyright © 2017 ESET, All Rights Reserved.