Think you’ve got a clever, un-hackable password?
You might want to tack on a few numbers to it. Global consulting firm Deloitte released a report Tuesday with an alarming prediction. More than 90% of user-generated passwords will be vulnerable to hacking, the report, prepared by Deloitte’s Canadian Technology, Media & Telecommunications arm, said. Even those passwords traditionally considered strong — with eight characters and a combination of numbers, letters and symbols — are at risk.
It seems like every other week a major company reports its site was hacked in some way. A year ago online shoe store Zappos.com was hacked, exposing the names, email addresses, phone numbers and partial credit card numbers of 24 million customers, the company said. In June networking site LinkedIn confirmed that a major security breach corresponding to LinkedIn accounts compromised users’ passwords. About 400,000 Yahoo email addresses and passwords were hacked last July. (Yahoo! Finance is owned by Yahoo!.) And in 2011, 77 million passwords were stolen from Sony’s PlayStation Network. And that's just to name a few of the biggies.
Eight isn’t enough
Most of us have been told that a strong eight-character password — with a number or two and a random symbol — is sufficiently secure for even relatively high-value financial transactions. Such a password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation, Deloitte says.
And because the longer and more @, * and % symbols are in our passwords, the harder they are to remember. So we end up using a very small subset of those possible combinations — which makes user-generated passwords susceptible to getting cracked.
“Most people put a capital letter at the beginning, and if you use a symbol, you probably use an exclamation mark,” says Richard Lee, national managing partner in Deloitte’s Technology, Media & Telecom group.
For anyone who has struggled to memorize the digits of Pi in geometry class, remembering a long and non-intuitive string of characters taxes the human brain’s capabilities. (Deloitte cites a study finding that, in the short term, humans struggle to remember more than seven numbers, and over a longer time frame, the average person can remember only five numbers. Adding symbols and letters makes committing these kinds of combinations to memory tougher.)
The bigger problem, however, is password re-use, says Lee. A study by credit-checking firm Experian last year found that the average user has 26 password-protected online accounts but uses only five different passwords.
So if you use the same password for your bank account online as you do your PlayStation account, a security breach at the gaming site could expose the password that protects your bank account. Deloitte notes advances in the hardware used to crack passwords that have made sensitive information increasingly vulnerable. One of these includes so-called brute-force attacks, which applies each of the 6.1 quadrillion combinations for an eight-character password until one works.
“A dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in 5.5 hours,” the Deloitte report said. Such a machine costs about $30,000 in 2012, but these days "crowd-hacking" lets hackers share the task over thousands of slower machines.
Added layers of protection
Consumers are probably noticing that they must go through an extra layer or two of protection to access some of their valuable accounts. Many of these have been implemented in response to the increasing threat of hacks.
"Multi-layer authentication" is one popular solution. Instead of requiring only a name and password to gain access to an account, multiple identification factors would be needed. For instance, you log onto your credit-card issuer’s site, type in your username and password, and another code or password is sent to your smartphone, which you then input online. It’s another layer of security “that will work, but it’s not terribly convenient,” Lee says.
Password vaults, or password safes, are another option for managing our multiple-account lifestyle. The tools (which usually carry monthly fees) provide you with a central place to store all your passwords, encrypted and protected by – you guessed it – a password or token (at least you’d only have to remember one password). While not totally hack-proof, password managers let you create secure passwords so they’re not easily cracked.
It’s hard to say if all these data breaches push consumers away from using the online gaming, banking, social networking and shopping sites they’ve grown accustomed to.
For instance, despite a rise in online fraud, particularly in the wake of malware that enabled criminals to steal more than $1 million in 2010 from British consumers and businesses, a survey found consumer confidence in online banking sites remained high.
“The utilization of online banking and e-commerce continues to increase, even though these incidents [of fraud and hacking] are publicized,” says Peter Beardmore, senior director of product marketing at Kaspersky, an IT security firm.