4 reasons why the password must die in 2013 (or shortly after)
In Deloitte’s TMT Predictions 2013, there’s an interesting chapter on passwords. The company predicts that in 2013, more than 90 percent of user-generated passwords, “even those considered strong by IT departments”, will be vulnerable to hacking. There are many reasons, why this is, but the common theme is this: humans and passwords are incompatible.
1. Our random passwords aren’t random
Humans can’t remember more than 7 numbers in their short time memory. Over a longer period, the average person can remember only 5 numbers. So what do we do? We cheat, and we use only a limited number of the 32 keys on the keyboard (interestingly, because we have trouble distinguishing them from each other).
So random passwords aren’t random at all: according to recent research, out of 6 million user-generated passwords, the 10 000 most common of them (that’s 0,16 per cent) would have given access to 98,1 percent of all accounts.
2. Although everybody knows you shouldn’t reuse passwords, we all do
The average user has 26 password-protected accounts – and anybody who uses cloud services routinely probably easily has double that amount of accounts. For those 26 accounts, users on average have 5 passwords:
Because of password re-use, a security breach on a less -secure gaming or social networking site can expose the password that protects a bank account. This is exactly what happened in a series of breaches in 2011 and 2012, and there are now websites where tens of millions of actual passwords can be accessed (Deloitte)
3. Passwords have become easier to crack thanks to crowdhacking
The best password cracking machines can crack any eight character password in 5,5 hours. And while those machines are too expensive for the average hacker, software to crowdhack passwords mean that hackers can simply team up in huge numbers to combine hundreds of slower machines to crack passwords much faster.
4. The shift to mobile will make passwords even weaker
Because the “special” keys on smartphones are so difficult to reach, it’s easier to just take the characters that you can access easily. On a PC, typing in a strong 10 character password takes about 4 to 5 seconds. On a smartphone with a keyboard, it can take up to 10 seconds. On a smartphone with just a touchscreen, that shoots up to 30 seconds.
About 25 percent of the users admit that they choose weaker passwords because of this. And because we’re all moving to mobile, that means that on average, our passwords will become weaker.
What’s the solution?
The authors of the report think that we’ll move to multi-factor authentication soon. Meaning: instead of just a password, you will also have to type in information that you received via an SMS, or some biometric information. The idea is that hackers might get hold of your password, but it’s a lot more difficult to obtain your password, AND your phone AND your fingerprint.
What’s the solution for passwords? Have you seen anything interesting in that field? Let us know!
Via Deloitte, Photo: sh4rp_i, Flickr
Powered by Facebook Comments