Password life expectancy down to seconds

Summary:End-user generated passwords continue to have little defense against hackers, according to Deloitte Canada.

The time an end-user spends devising a password this year will be longer than the life expectancy of that password, according to Deloitte Canada.

The research organization said Monday that 90% of user-generated passwords would be relevant for mere seconds under pressure from hackers. Those passwords include so-called strong passwords, which are typically eight characters or more.

Deloitte attributed the vulnerabilities to many of the same issues that have plagued passwords over the years - including re-use of passwords on multiple accounts and obvious passwords patterns. For years, "password" and "123456" have been two of the top passwords favored by end-users.

In addition, hacking tools are getting more powerful using both hardware and software techniques to crack  credentials. Also, "crowd-hacking" techniques that marry thousands of machines and being used to brute-force passwords.

Deloitte touched on some of the same issues that Forrester analyst Eve Maler called out last week in her report on passwords, the fact that end-users, unfairly, bear the burden of onerous password creation rules.

Maler argued that passwords are not going away and that companies need to come up with better strategies for managing passwords and password policies.

Deloitte offered its own solutions, including multi-factor authentication that incorporates tokens, biometrics, and out-of-band authentication such as messages sent to a mobile phone. Deloitte also recommended best practices such as security policies and monitoring as ways to protect passwords.

The Deloitte predictions follow a trend that has hackers aiming for authentication credentials. Last year, from hacks on companies from Apple to Zappos, hackers stole millions of end-user credentials, using them to hack not only accounts on the compromised site but reusing those passwords on other sites.

Last year, Best Buy reported that hackers had comprised user accounts on its network using credentials that had been stolen more than a year ago from various other sites.

Topics: Security, Networking


John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.