Computer users will have a hard time keeping passwords private this year. At least, thatâ€™s the view of Big Four auditing firm Deloitte. The findings of Deloitteâ€™s TMT Predictions 2013 report reveal rampant re-use of passwords, which puts computer users at risk when these passwords are leaked and bruteforced with modern technologies.
â€œIf you take a site with over six million users and you take ten thousand password combinations [â€¦] you will be able to access 98.1 percent of the accounts on that site,â€ said Jolyon Barker, Global Managing Director at Deloitte in a video presentation of the TMT Predictions 2013. â€œIf you are looking at cracking applications today, what it took one year to analyze and break down for hackers can now be done in a matter of hours.â€
That sounds worrying enough for a user to consider choosing a better password but there is more to cracking passwords than the report says. It may be true that bruteforcing hashed passwords now take a fraction of the time it used to take a couple of years ago, but the way passwords are now hashed has also undergone major improvements from a few years ago.
Unless theyâ€™re the Romanian Top Level Domain Registrar (which keeps passwords in plain-text in Anno Domini 2013), 6 million user web services have already learned the lesson from the Last.fm and LinkedIn incidents and are storing salted passwords, which dramatically minimize the effectiveness of bruteforcing, regardless of how powerful the cracking hardware is. I – for one – would be more concerned about other personal data that leaks along with the password.
Of course, it would be wise to heed the general idea of the report: donâ€™t re-use your password on different accounts and make your password complex enough to withstand bruteforcing. The rest â€“ take it with a grain of â€œsaltâ€.