The time an end-user spends devising a password this year will be longer than the life expectancy of that password, according to Deloitte Canada.
The research organization said Monday that 90% of user-generated passwords would be relevant for mere seconds under pressure from hackers. Those passwords include so-called strong passwords, which are typically eight characters or more.
Deloitte attributed the vulnerabilities to many of the same issues that have plagued passwords over the years - including re-use of passwords on multiple accounts and obvious passwords patterns. For years, "password" and "123456" have been two of the top passwords favored by end-users.
In addition, hacking tools are getting more powerful using both hardware and software techniques to crack credentials. Also, "crowd-hacking" techniques that marry thousands of machines and being used to brute-force passwords.
Deloitte touched on some of the same issues that Forrester analyst Eve Maler called out last week in her report on passwords, the fact that end-users, unfairly, bear the burden of onerous password creation rules.
Maler argued that passwords are not going away and that companies need to come up with better strategies for managing passwords and password policies.
Deloitte offered its own solutions, including multi-factor authentication that incorporates tokens, biometrics, and out-of-band authentication such as messages sent to a mobile phone. Deloitte also recommended best practices such as security policies and monitoring as ways to protect passwords.
The Deloitte predictions follow a trend that has hackers aiming for authentication credentials. Last year, from hacks on companies from Apple to Zappos, hackers stole millions of end-user credentials, using them to hack not only accounts on the compromised site but reusing those passwords on other sites.
Last year, Best Buy reported that hackers had comprised user accounts on its network using credentials that had been stolen more than a year ago from various other sites.