Slashdot Mirror

← Back to Stories (view on slashdot.org)

Deloitte: Use a Longer Password In 2013. Seriously.

Posted by timothy on from the you're-gonna-need-a-bigger-post-it dept.

clustro writes "Deloitte predicts that 8-character passwords will become insecure in 2013. Humans have trouble remembering passwords with more than seven characters, and it is difficult to enter long, complex passwords into mobile devices. Users have not adapted to increased computing power available to crackers, and continue to use bad practices such as using common and short passwords, and re-using passwords across multiple websites. A recent study showed that using the 10000 most common passwords would have cracked >98% of 6 million user accounts. All of these problems have the potential for a huge security hazard. Password vaults are likely to become more widely used out of necessity. Multifactor authentication strategies, such as phone texts, iris scans, and dongles are also likely to become more widespread, especially by banks."

4 of 538 comments (clear)

  1. Secret Plans by SJHillman · · Score: 5, Informative

    I think some places encourage short passwords. StudentLoans.com is Citibank's site for, you guessed it, student loans. The MAX password length is eight characters. That only encouraged me to pay off my loan to them faster just so I wouldn't have to deal with security like that.

    Of course, nowhere in the signup do they warn you that only the first eight characters of your password will be accepted, nor does the login box limit you to inputting eight characters. I signed up with abcdef12345678 and tried signing in with abcdef12345678 but it gave me password refused. By luck, I tried abcdef12 and it worked. Screw Citi and all of the others still using password schemes from the early 90s

  2. Re:I love old news. by SuricouRaven · · Score: 5, Informative

    xapsdogien32
    > Error: Must include at least one punctuation character.
    xapsdogien32!
    > Error: Must not contain a dictionary word.
    xapsd_ogien32!
    >Error: Maximum length twelve characters.
    psd_ogien32!
    > Error: Must include an uppercase character.
    A1!
    > OK

  3. Re:I Got It! by OzPeter · · Score: 5, Informative

    A better question would be, what system would allow 1000 password guesses per second to be authenticated?

    Irrelevant, as the cracking will happen offline after the bad guys have stolen your PW DB by exploiting other weaknesses in your system

    --
    I am Slashdot. Are you Slashdot as well?
  4. Re:I Got It! by AndrewStephens · · Score: 5, Informative

    True, but nobody tries breaking into a system by logging in ten thousand times a second to a single account. The recent well-publicised break-ins resulted from the hashed password file being publicly available, either stolen through a vulnerability or maliciously leaked. If the attackers have the hashed passwords they can try them at a rate of millions or billions of attempts per second for as long as they want.

    --
    sheep.horse - does not contain information on sheep or horses.