According to the Deloitte Technology Trends 2013 report many user-generated passwords are weak and vulnerable to hacking, despite meeting IT department strong password guidelines.
The report states that while stronger, longer passwords mean greater levels of security, people understandably find these harder to remember. (ESET recently quizzed computer users about various aspects of password selection and management, and offers this analysis of password usage.)
The human element in password selection drastically increases the probability that they can be guessed or otherwise hacked. The report notes: "In a recent study of six million actual user-generate passwords, the 10,000 most common passwords would have accessed 98.1 percent of all accounts."
Deloitte claims that poor password protection may result in billions of dollars in lost revenue, a fall in confidence in Internet transactions and reputational damage to companies compromised by attacks. The solution? The report suggests that, “an additional bit of identification can be used...It could be a password sent to a cell phone or smartphone, a physical device that plugs into a USB slot, or possibly be a biometric feature of the user.”
The report concludes that, “As the value of the information protected by passwords continues to grow – attracting more hack attempts – high-value sites will likely require additional forms of authentication.”