More than 90 percent of user-generated passwords are vulnerable to hacking, a new study says.
Think you’ve got a clever, un-hackable password? You might want to tack on a few numbers to it. Global consulting firm Deloitte released a report Tuesday with an alarming prediction. More than 90% of user-generated passwords will be vulnerable to hacking, the report, prepared by Deloitte’s Canadian Technology, Media & Telecommunications arm, said. Even those passwords traditionally considered strong — with eight characters and a combination of numbers, letters and symbols — are at risk.
It seems like every other week a major company reports its site was hacked in some way. A year ago online shoe store was hacked, exposing the names, email addresses, phone numbers and partial credit card numbers of 24 million customers, the company said. In June networking site LinkedIn confirmed that a major security breach corresponding to LinkedIn accounts compromised users’ passwords. About 400,000 Yahoo email addresses and passwords were hacked last July. And in 2011, 77 million passwords were stolen from Sony’s PlayStation Network. And that’s just to name a few of the biggies.
Eight isn’t enough
Most of us have been told that a strong eight-character password — with a number or two and a random symbol — is sufficiently secure for even relatively high-value financial transactions. Such a password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation, Deloitte says.
And because the longer and more @, * and % symbols are in our passwords, the harder they are to remember. So we end up using a very small subset of those possible combinations — which makes user-generated passwords susceptible to getting cracked.
“Most people put a capital letter at the beginning, and if you use a symbol, you probably use an exclamation mark,” says Richard Lee, national managing partner in Deloitte’s Technology, Media & Telecom group.
Deloitte cites a recent study of 6 million user-generated passwords; the 10,000 most common passwords would have accessed 98% of all accounts. [Related: Cracking Your PIN Code: Easy as 1-2-3-4]
For anyone who has struggled to memorize the digits of Pi in geometry class, remembering a long and non-intuitive string of characters taxes the human brain’s capabilities. (Deloitte cites a study finding that, in the short term, humans struggle to remember more than seven numbers, and over a longer time frame, the average person can remember only five numbers. Adding symbols and letters makes committing these kinds of combinations to memory tougher.)
The bigger problem, however, is password re-use, says Lee. A study by credit-checking firm Experian last year found that the average user has 26 password-protected online accounts but uses only five different passwords.
So if you use the same password for your bank account online as you do your PlayStation account, a security breach at the gaming site could expose the password that protects your bank account. Deloitte notes advances in the hardware used to crack passwords that have made sensitive information increasingly vulnerable. One of these includes so-called brute-force attacks, which applies each of the 6.1 quadrillion combinations for an eight-character password until one works.
“A dedicated password-cracking machine employing readily available virtualization software and high-powered graphics processing units can crack any eight-character password in 5.5 hours,” the Deloitte report said. Such a machine costs about $30,000 in 2012, but these days “crowd-hacking” lets hackers share the task over thousands of slower machines.