Industry News

Password Security in Immediate Danger, Deloitte Claims

Distributed password-cracking algorithm

Computer users will have a hard time keeping passwords private this year. At least, that’s the view of Big Four auditing firm Deloitte. The findings of Deloitte’s TMT Predictions 2013 report reveal rampant re-use of passwords, which puts computer users at risk when these passwords are leaked and bruteforced with modern technologies.

“If you take a site with over six million users and you take ten thousand password combinations […] you will be able to access 98.1 percent of the accounts on that site,” said Jolyon Barker, Global Managing Director at Deloitte in a video presentation of the TMT Predictions 2013. “If you are looking at cracking applications today, what it took one year to analyze and break down for hackers can now be done in a matter of hours.”

That sounds worrying enough for a user to consider choosing a better password but there is more to cracking passwords than the report says. It may be true that bruteforcing hashed passwords now take a fraction of the time it used to take a couple of years ago, but the way passwords are now hashed has also undergone major improvements from a few years ago.

Unless they’re the Romanian Top Level Domain Registrar (which keeps passwords in plain-text in Anno Domini 2013), 6 million user web services have already learned the lesson from the Last.fm and LinkedIn incidents and are storing salted passwords, which dramatically minimize the effectiveness of bruteforcing, regardless of how powerful the cracking hardware is. I – for one – would be more concerned about other personal data that leaks along with the password.

Of course, it would be wise to heed the general idea of the report: don’t re-use your password on different accounts and make your password complex enough to withstand bruteforcing. The rest – take it with a grain of “salt”.

About the author

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

5 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *