P@$$1234: the end of strong password-only security

TMT Technology Predictions 2013

Deloitte predicts that in 2013 more than 90 percent of user-generated passwords, even those considered strong by IT departments, will be vulnerable to hacking. Inadequate password protection may result in billions of dollars of losses, declining confidence in Internet transactions and significant damage to the reputations of the companies compromised by attacks.

A note from the authors

In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts. Non-random distribution allows hackers to create a file, or “dictionary,” of common password words and phrases, and symbolic variations, making cracking an account thousands or millions of times easier.

In general, mobile passwords tend to be less secure than those used on a PC. On a standard physical keyboard, all 94 possible characters are easily entered; on a smartphone with a small physical keyboard, accessing all possible characters takes a bit longer; on a touchscreen-only device, a user may have to page through multiple screens just to find the “#” symbol. The average user takes 4-5 seconds to type a strong ten-character password on a PC keyboard. That increases to 7-10 seconds on a smartphone with a keyboard and 7-30 seconds on touchscreen devices. A quarter of the people surveyed admitted to using less-secure passwords on mobile devices to save time.

P@$$1234: the end of strong password-only security

It sounds like the days of using 'password' for our 'password' are behind us- or at least should be! Learn what Deloitte predicts for 2013, how passwords most commonly 'get hacked', and whether we'll see a shift towards longer and stronger passwords being required.



Duncan Stewart, Director of TMT Research, Deloitte Canada, and co-author of TMT Predictions.

Paul Lee, Head of Global TMT Research, co-author of TMT Predictions.


Stephen Heasley, Global Online Communications, Deloitte Touche Tohmatsu Limited

P@$$1234: the end of strong password-only security
Did you find this useful?