Here’s an example: some systems force you to chose an eight-character password, using capital letters, numbers and at least one number. That sounds pretty secure, but it’s not. The word P@ssw0rd fits these criteria and password cracking tools such as JohntheRipper or hashcat will guess it in minutes. That’s because they use something called “mangling rules” which take dictionary words and substitute letters such as a for @ or s for $.
“The cracking software that’s out there has known about all of these tricks for more than a decade,” says Herley. “A lot of the password completion policies don’t push people toward randomness and things that will pass 10^14 guesses, they push people toward predictable strategies that will not.”
Try out enough password-strength checkers, and you’ll get the impression that more is always better when it comes to password. But that’s not really the case, Herley says. Randomness is the key. But the problem—and it’s a near-fatal one—is that humans are really, really bad at generating random passwords. So maybe we should just expect our passwords to suck, and concentrate on protecting accounts in other ways–like with two-factor authentication, where you have to use a password in tandem with something like a fingerprint, a text message, or a random number generated on a device you lug around.
Two-factor authentication should really be standard by now, but it's not. It's too inconvenient and costly to implement it for all users across an entire system about 99% of the time. That's not going to change until the costs of not having enforced two-factor authentication for all users (like hackers stealing account info and the lost business it causes) exceed the costs of implementing it.
It's getting to that point for Apple and Google now. They offer it and really should make it standard. You'll see more and more companies going to two-factor authentication and soon as losses from password hacking and "social engineering" mount into the billions.
The counter-argument is that no system can ever be 100% secure as long as people have to access it and it has access to the internet, so there does have to be a limit on it. But I'm betting sometime soon your IT department will be rolling out two-factor authentication, and not just for remote users.