The consulting firm's Canadian Technology, Media & Telecommunications (TMT) Predictions 2013 report covers a range of technology predictions, including the outlook for subscription TV services and 4K televisions, but the vulnerabilities in today’s password practices top the list of things to consider in 2013.
The problem, researchers said, is that everything that we thought to be true must be reconsidered given advances in technology.
"Passwords containing at least eight characters, one number, mixed-case letters and non-alphanumeric symbols were once believed to be robust,” said Duncan Stewart, a director of research for the report. “But these can be easily cracked with the emergence of advance hardware and software.”
For instance, a machine running readily available virtualization software and high-powered graphics processing units can crack any eight-character password in about five hours, he noted.
But as ever, human behavior gets in the way when it comes to being safe. Specifically, the inability to remember multiple unique 24-character password strings. The limitations of most humans’ ability to remember complex credentials means that there is a tendency for password re-use, which also puts password security at risk. If a hacker cracks even an innocuous account, like a grocery store loyalty card, the credentials are likely to have been used elsewhere, like for online banking. Once a hacker has a password, he or she can potentially have the keys to the cyberkingdom based on most consumers’ behavior.
“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.
However, all hope is not lost: Multifactor authentication using tokens, cellphones, credit cards and more are likely solutions. That means that having additional passwords sent through SMS to a phone, a requirement for fingerprints and other biometrics, or even 'tap and go' credit cards may be the norm in the future, he concluded.
22 January 2013
Cant believe that in 2013 anyone would seriously suggest use of SMS as a means of multifactor authentication. This creates a false sense of security and opportunity for even greater losses from fraud. Fraudsters can and do arrange for porting of the target customer mobile number to a new mobile service provider - They then receive the SMS message, completely undermining the assumed mulitfactor authentication.
21 January 2013
There;s something I don't understand.
How will the cracking device know that it has cracked the password without testing it? Will the device not need to attempt to login many times before being successfull. Because most systems will only allow a very limited number of attempts before lockout, how can the password be cracked?
Note: The majority of comments posted are created by members of the
public. The views expressed are theirs and unless specifically stated are not those
Elsevier Ltd. We are not responsible for any content posted by members of the public
or content of any third party sites that are accessible through this site. Any links
to third party websites from this website do not amount to any endorsement of that
site by the Elsevier Ltd and any use of that site by you is at your own risk. For
further information, please refer to our Terms & Conditions.
Comment on this article
You must be registered and logged in to leave a comment
about this article.