4 reasons why the password must die in 2013 (or shortly after)

In Deloitte’s TMT Predictions 2013, there’s an interesting chapter on passwords. The company predicts that in 2013, more than 90 percent of user-generated passwords, “even those considered strong by IT departments”, will be vulnerable to hacking. There are many reasons, why this is, but the common theme is this: humans and passwords are incompatible.

1. Our random passwords aren’t random

Humans can’t remember more than 7 numbers in their short time memory. Over a longer period, the average person can remember only 5 numbers. So what do we do? We cheat, and we use only a limited number of the 32 keys on the keyboard (interestingly, because we have trouble distinguishing them from each other).

So random passwords aren’t random at all: according to recent research, out of 6 million user-generated passwords, the 10 000 most common of them (that’s 0,16 per cent) would have given access to 98,1 percent of all accounts.

2. Although everybody knows you shouldn’t reuse passwords, we all do

The average user has 26 password-protected accounts – and anybody who uses cloud services routinely probably easily has double that amount of accounts. For those 26 accounts, users on average have 5 passwords:

Because of password re-use, a security  breach on a less -secure gaming or social networking site  can expose the password that protects a bank account.  This is exactly what happened in a series of breaches in  2011 and 2012, and there are now websites where tens  of millions of actual passwords can be accessed (Deloitte)

3. Passwords have become easier to crack thanks to crowdhacking

The best password cracking machines can crack any eight character password in 5,5 hours. And while those machines are too expensive for the average hacker, software to crowdhack passwords mean that hackers can simply team up in huge numbers to combine hundreds of slower machines to crack passwords much faster.

4. The shift to mobile will make passwords even weaker

Because the “special” keys on smartphones are so difficult to reach, it’s easier to just take the characters that you can access easily. On a PC, typing in a strong 10 character password takes about 4 to 5 seconds. On a smartphone with a keyboard, it can take up to 10 seconds. On a smartphone with just a touchscreen, that shoots up to 30 seconds.

About 25 percent of the users admit that they choose weaker passwords because of this. And because we’re all moving to mobile, that means that on average, our passwords will become weaker.

What’s the solution?

The authors of the report think that we’ll move to multi-factor authentication soon. Meaning: instead of just a password, you will also have to type in information that you received via an SMS, or some biometric information. The idea is that hackers might get hold of your  password, but it’s a lot more difficult to obtain your password, AND your phone AND your fingerprint.

What’s the solution for passwords? Have you seen anything interesting in that field? Let us know!

Via Deloitte, Photo: sh4rp_i, Flickr

Powered by Facebook Comments

About the author

Raf Weverbergh

Editor of whiteboard. Raf Weverbergh was a magazine journalist whose work appeared in magazines like Rolling Stone, Playboy, Mail on Sunday, Publico and South China Morning Post. He is the co-founder of FINN, a corporate communications agency where he advises startups and multinationals on their PR and Mustr, the easiest media database for PR professionals. You can contact him on Twitter, Linkedin or Skype (rafweverbergh).

Related Posts