Even passwords considered “strong” by IT departments are often now vulnerable to hacking, according to professional services firm Deloitte. In Deloitte’s Technology, Media and Telecommunications Predictions 2013, the firm predicts that 90% of user generated passwords will be vulnerable to hacking this year.
Deloitte says that the weakness inherent in current password systems could result in billions of dollars of losses, and damage to the reputation of companies compromised in attacks.
“This is due to factors such as password re-use, advances in hardware and software used to crack passwords, and non-random distribution of characters,” says Deloitte in its report. “As the value of the information protected by passwords continues to grow, attracting more hack attempts, high-value sites will likely require additional forms of authentication.”
Deloitte’s report says that advances in computer technology have made eight-character passwords easier to crack by “brute force” methods - and points to the use of “crowd hacking” as another threat.
But the main problem is users themselves, according to the report. Habits such as choosing simpler passwords for entry on mobile devices has meant that many passwords remain insecure.
“With so many threats, we might expect users to be adopting longer and stronger passwords. That has not occurred, in part because of the difficulty of entering passwords on mobile devices. On a touchscreen‑only device, a user may have to page through multiple screens just to find the “#” symbol. A quarter of the people surveyed admitted to using less‑secure passwords on mobile devices to save time.”
“Users often create passwords that reference words and names in our language and experience,” the report says. “Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers or putting them in ascending order.Although a keyboard has 32 different symbols, humans generally only use half-a-dozen of these in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker.”
Deloitte predicts that two-factor authentication will be employed by more companies in 2013, and that password vaults will become more popular.
“A number of technology and telecom companies will likely implement some form of multifactor authentication with their services, software and/or devices in 2013. There is likely to be a direct relationship between the value of the information being protected and the complexity of the authentication process: bank accounts would be more demanding than social media networks, which in turn would be more rigorous than a computer game."
“Organisations must establish better password security policies. Current rules regarding password expiry, minimum length, use of the full symbol set, and password resets are vulnerable and need to be strengthened.”
ESET Security Evangelist Stephen Cobb offers an in-depth view of the security challenges around passwords here.