You might want to tack on a few numbers to it. Global
consulting firm Deloitte released a report Tuesday with an alarming prediction.
More than 90% of user-generated passwords will be vulnerable to hacking, the
report, prepared by Deloitte’s Canadian Technology, Media &
Telecommunications arm, said. Even those passwords traditionally considered
strong — with eight characters and a combination of numbers, letters and
symbols — are at risk.
It seems like every other week a major company reports its
site was hacked in some way. A year ago online shoe store Zappos.com was
hacked, exposing the names, email addresses, phone numbers and partial credit
card numbers of 24 million customers, the company said. In June networking site
LinkedIn confirmed that a major security breach corresponding to LinkedIn
accounts compromised users’ passwords. About 400,000 Yahoo email addresses and
passwords were hacked last July. (Yahoo! Finance is owned by Yahoo!.) And in
2011, 77 million passwords were stolen from Sony’s PlayStation Network. And
that's just to name a few of the biggies.
Eight isn’t enough
Most of us have been told that a strong eight-character
password — with a number or two and a random symbol — is sufficiently secure
for even relatively high-value financial transactions. Such a password chosen
from all 94 characters available on a standard keyboard is one of 6.1
quadrillion possible combinations. It would take about a year for a relatively
fast 2011 desktop computer to try every variation, Deloitte says.
And because the longer and more @, * and % symbols are in
our passwords, the harder they are to remember. So we end up using a very small
subset of those possible combinations — which makes user-generated passwords
susceptible to getting cracked.
“Most people put a capital letter at the beginning, and if
you use a symbol, you probably use an exclamation mark,” says Richard Lee,
national managing partner in Deloitte’s Technology, Media & Telecom
group.
Deloitte cites a recent study of 6 million user-generated
passwords; the 10,000 most common passwords would have accessed 98% of all
accounts.
For anyone who has struggled to memorize the digits of Pi in
geometry class, remembering a long and non-intuitive string of characters taxes
the human brain’s capabilities. (Deloitte cites a study finding that, in the
short term, humans struggle to remember more than seven numbers, and over a
longer time frame, the average person can remember only five numbers. Adding
symbols and letters makes committing these kinds of combinations to memory
tougher.)
The bigger problem, however, is password re-use, says Lee. A
study by credit-checking firm Experian last year found that the average user
has 26 password-protected online accounts but uses only five different
passwords.
So if you use the same password for your bank account online
as you do your PlayStation account, a security breach at the gaming site could
expose the password that protects your bank account. Deloitte notes advances in
the hardware used to crack passwords that have made sensitive information
increasingly vulnerable. One of these includes so-called brute-force attacks,
which applies each of the 6.1 quadrillion combinations for an eight-character
password until one works.
“A dedicated password-cracking machine employing readily
available virtualization software and high-powered graphics processing units
can crack any eight-character password in 5.5 hours,” the Deloitte report said.
Such a machine costs about $30,000 in 2012, but these days "crowd-hacking"
lets hackers share the task over thousands of slower machines.
Added layers of protection
Consumers are probably noticing that they must go through an
extra layer or two of protection to access some of their valuable accounts.
Many of these have been implemented in response to the increasing threat of
hacks.
"Multi-layer authentication" is one popular
solution. Instead of requiring only a name and password to gain access to an
account, multiple identification factors would be needed. For instance, you log
onto your credit-card issuer’s site, type in your username and password, and
another code or password is sent to your smartphone, which you then input
online. It’s another layer of security “that will work, but it’s not terribly
convenient,” Lee says.
Password vaults, or password safes, are another option for
managing our multiple-account lifestyle. The tools (which usually carry monthly
fees) provide you with a central place to store all your passwords, encrypted
and protected by – you guessed it – a password or token (at least you’d only
have to remember one password). While not totally hack-proof, password managers
let you create secure passwords so they’re not easily cracked.
It’s hard to say if all these data breaches push consumers
away from using the online gaming, banking, social networking and shopping
sites they’ve grown accustomed to.
For instance, despite a rise in online fraud, particularly
in the wake of malware that enabled criminals to steal more than $1 million in
2010 from British consumers and businesses, a survey found consumer confidence
in online banking sites remained high.
“The utilization of online banking and e-commerce continues
to increase, even though these incidents [of fraud and hacking] are
publicized,” says Peter Beardmore, senior director of product marketing at
Kaspersky, an IT security firm. ( The Exchange )
Blog : The Challenge
No comments:
Post a Comment