Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. […]

How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.

Most organizations keep usernames and passwords in a master file. That file is hashed: a piece of software encrypts both the username and password together. […] However, master files are often stolen or leaked. A hashed file is not immediately useful to a hacker, but various kinds of software and hardware can decrypt the master file and at least some of the usernames and passwords. Decrypted files are then sold, shared or exploited by hackers. […]

An eight-character password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion (6,095,689,385,410,816) possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation. Even gaining access to a credit card would not be worth the computing time.

However, a number of factors, related to human behavior and changes in technology, have combined to render the “strong” password vulnerable.

First, humans struggle to remember more than seven numbers in our short-term memory. Over a longer time span, the average person can remember only five. Adding letters, cases, and odd symbols to the mix makes remembering multiple characters even more challenging.

As a result, people use a variety of tricks to make recalling passwords easier. For example, users often create passwords that reference words and names in our language and experience. […] Although a keyboard has 32 different symbols, humans generally only use half-a-dozen in passwords because they have trouble distinguishing between many of them. These tricks and tendencies combine to make passwords less random, and therefore weaker. […]

But non-random passwords aren’t even the biggest problem. The bigger problem is password re-use. The average user has 26 password-protected accounts, but only five different passwords across those accounts. Because of password re-use, a security breach on a less-secure gaming or social networking site can expose the password that protects a bank account. […]

Longer passwords could make systems more secure. Adding just one or two characters make brute-force attacks almost a thousand times slower. A ten-character password has 8,836 more possible combinations than an eight-character password, and the same password-cracking machine cited above would take more than 5 years to crack it. Truly random passwords would also decrease the threat from hackers.

{ Deloitte | Continue reading }

spy & security | February 8th, 2013