Password life expectancy down to seconds

Password life expectancy down to seconds

Summary: End-user generated passwords continue to have little defense against hackers, according to Deloitte Canada.

TOPICS: Security, Networking

The time an end-user spends devising a password this year will be longer than the life expectancy of that password, according to Deloitte Canada.

The research organization said Monday that 90% of user-generated passwords would be relevant for mere seconds under pressure from hackers. Those passwords include so-called strong passwords, which are typically eight characters or more.

Deloitte attributed the vulnerabilities to many of the same issues that have plagued passwords over the years - including re-use of passwords on multiple accounts and obvious passwords patterns. For years, "password" and "123456" have been two of the top passwords favored by end-users.

In addition, hacking tools are getting more powerful using both hardware and software techniques to crack  credentials. Also, "crowd-hacking" techniques that marry thousands of machines and being used to brute-force passwords.

Deloitte touched on some of the same issues that Forrester analyst Eve Maler called out last week in her report on passwords, the fact that end-users, unfairly, bear the burden of onerous password creation rules.

Maler argued that passwords are not going away and that companies need to come up with better strategies for managing passwords and password policies.

Deloitte offered its own solutions, including multi-factor authentication that incorporates tokens, biometrics, and out-of-band authentication such as messages sent to a mobile phone. Deloitte also recommended best practices such as security policies and monitoring as ways to protect passwords.

The Deloitte predictions follow a trend that has hackers aiming for authentication credentials. Last year, from hacks on companies from Apple to Zappos, hackers stole millions of end-user credentials, using them to hack not only accounts on the compromised site but reusing those passwords on other sites.

Last year, Best Buy reported that hackers had comprised user accounts on its network using credentials that had been stolen more than a year ago from various other sites.

Topics: Security, Networking


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Here's a radical thought

    encourage the use of passphrases instead. Apocalypse Smashing Red River Rocks of Doom is a very easy passphrase to remember (no, I don't use this for anything), but it incredibly secure.
    • Ditto, On your comment

      Many choose the easy password that is required by their bank, email, social site, or...
      If it works for all, they use for all.

      Unless there is a money//ID loose, the weak password moves on......
      • If only I could

        My bank won't allow passwords greater than 8 characters, and only supports alpha-numeric characters. Stupid!
        • Wow!

          Time for a new bank...

          So is the message 'bad guys who can use social sites to glean information about you MIGHT be able to break your pwd'? Or are you really telling me that they can brute force 'tiger83Niner' in seconds? And are systems allowing more than 3 attempts before locking out a user?

          The cynic in me thinks the IT Security industry is trying to drum up business. Don't get me wrong: I'm for security - but let's not use 'the sky is falling' to line someone's pockets. Strong passwords, strong password, REALLY strong passwords...
          beau parisi
    • passphrase worse than y2k

      You know it just occurred to me that this limitation built into most systems where they can't use pass phrases is a much bigger problem and has caused a lot more trouble than the old Year 2000 (Y2K) hullabaloo.

      I wonder if aging Cobol programmers will have to save the day for this as well.
  • 1password

    buy it
    use it
  • Shoddy reporting at its finest.

    "Those passwords include so-called strong passwords, which are typically eight characters or more."

    Umm, no. Eight characters haven't been considered secure for a long time.

    Only a fool currently thinks that the current definition of a strong password is "eight characters or more."

    In addition, Deloitte Canada didn't actually say "eight characters or more" - you invented that.

    And oh, yeah, why no links to Deloitte Canada? They're the focus of the article, but nothing links to their site?

    Maybe it's because all you'll find is a short snippet of a presentation. No facts, no evidence, just a PowerPoint slide with a vague claim that could be construed as true even if the current state of passwords remains with the current status quo.

    Shoddy reporting at its finest.

    A good description of a large portion of their "predictions" is "so vague, they could always be spun as true."

    Although they did predict the rise of NFC in 2012 - something that has yet to gain traction, thanks to Apple not putting it in the iPhone 5.

    They also predicted for 2012 some fantastical short-range communications method that would "bypass the internet" somehow, and everything would be essentially short range peer-to-peer. Other than the new M2M ramblings on ZDNet, I haven't heard the faintest of such technologies (and it looks like they weren't predicting M2M anyways, they were still talking things with UIs meant for human use).

    They also predicted bandwidth caps for landlines in 2012. I'm very thankful that prediction has yet to come true.

    That's probably because ISPs constantly throttle and shape data, which makes capping data completely unnecessary. Wireless carriers have yet to learn this trick.

    Anyhoo, I've really got no reason to take the prediction seriously, other than to point out that it's probably already the case, and that's due to people being lazy and making poor passwords, not due to some inherit security flaw or failing of current technology.
    • Added link...

      ...Deloitte Canada.
      • Password management issue is real

        Despite the less than favorable reviews by CobraA1 and others, I believe your article is basically correct about this issue, but the question is: Will anything every change? Not until the IT industry comes up with a suitable alternative to PW management (with user-friendly interface) and that doesn't appear to be coming anytime soon. Other than the issue of forgetting passwords and resets, most users are blissfully unaware of the perils they face in this arena.
        Michael Foxworth
        • or better password polcies

          "Not until the IT industry comes up with a suitable alternative to PW management "

          Or better password policies that don't allow the overly obvious things like "123456," which is why this is an issue to begin with. Heck, "123456" shouldn't make it past anything considering how incredibly short it is. What it really shows is how we're still dealing with lax password policies.

          If we can't even get businesses to use sensible password policies - I seriously doubt we can convince them to change to any sort of "suitable alternative to PW management."
  • I don't believe a password can be hacked in seconds

    Come on, when I accidentally mistype my complex password, it takes a couple of seconds for the bank (or whatever) to come back and say "no." To run thousands and wait seconds for each one, my math says that starting with 1 or a and trying all combinations would take a supercomputer centuries to find.
    (Could even be done just as fast on an iPad)
    (example: ralph0x2oo843Wj)
    What am I missing? The note about some sites only allowing 3 tries makes cracking anything even more remote.
  • Good password + good site management = security.

    First, sites need to allow passwords that are complex but that the user can remember. When a site requires me to include at least two lower-case letters, at least two upper-case letters, at least two digits and at least two punctuation marks, I cannot create a password that I can remember, and so I have to write it down, which is not secure.

    Then users have to create passwords that are not obvious. Your dog's name is obvious. A simple phrase might not be.

    Finally, sites need to impose a delay between tries and a small maximum number of tries. No brute-force hacking algorithm will succeed if the site locks the account after five unsuccessful tries.

    OTOH, when sites themselves are insecure so that hackers can steal passwords, then no password policy will make users safe.

    As for using smartphones for authentication, not everyone has a smartphone. I have no need for a smartphone. I have a stupidphone. All it does is make phone calls, and it does this wonderfully well. I do not have texting, since the only texts I ever got were spam advertising, so I have texting blocked.

    Passwords, properly managed, are fine. Only stupid people have inadequate passwords, and stupid people will be unable to properly use any system for security.
  • Your analysis is just wrong.

    Most websites will lock you out after a few failed attempts so that removes the possibility of brute force attacks. Most people have their passwords hacked through phishing and viruses.

    The best thing to do is use different passwords for different sites. You might have to keep 5 different passwords using this method but this has a modular defense. For example, if your forum account on zdnet gets hacked , your e-mail and your bank accounts don't also get hacked.