×

Longer passwords and multifactor authentication can provide more security for users, who are alarmingly predictable.

A mixed-case password that is eight characters long and contains a numeral and a symbol has long been considered strong, even by many IT departments. After all, it is one of 6.1 quadrillion combinations, and would take a reasonably fast computer nearly a year to crack.

That password, however, is no longer secure enough, thanks to human behavior and technology.

For starters, humans struggle to retain more than seven numbers in short-term memory.¹ Adding letters, cases, and symbols makes remembering that much more difficult. As a result, humans tend to select words and names that have some personal meaning; they begin passwords with an uppercase letter and end them with whatever numerals and symbols are required. Therefore, it’s no surprise that, in a recent study of 6 million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts.² The prevalence of common passwords makes it even easier for hackers to crack passwords.

Even more worrisome than non-random passwords is password re-use. The average user has 26 password-protected accounts, but only five passwords.³

Advances in technology are further aiding would-be hackers. A computer loaded with the latest virtualization software and high-powered graphics cards can now crack an eight-character password in 5 ½ hours.4

That is why the days of the secure eight-character password are numbered, as Deloitte Touche Tohmatsu Limited research directors Paul Lee and Duncan Stewart explain in this TMT Predictions video.