Ninety per cent of passwords are vulnerable to hacking because even supposedly secure passwords typically share common characteristics.
Because people are required to generate so many passwords with particular characteristics - at least eight characters long, including numbers or symbols as well as letters - they not only frequently use the same one over a number of websites and systems, but use passwords based on whole-word phrases.
Further reading
Stolen LinkedIn passwords 'genuine' says Sophos, LinkedIn confirms data breach (NEW UPDATES) Latest infrastructure hack proves inadequacy of passwords Passwords are SSO last season
"Users often create passwords that reference words and names in our language and experience. Users typically put the upper case symbol at the beginning of the password and place the numbers at the end of the password, repeating the numbers of putting them in ascending order," claims the report.
"Although a keyboard has 32 different symbols, humans generally only use half-a-dozen of these in passwords because they have trouble distinguishing between many of them," it continues.
These factors all conspire to radically weaken people's passwords, claims Deloitte.
"In a recent study of six million actual user-generated passwords, the 10,000 most common passwords would have accessed 98.1 per cent of all accounts... But non-random passwords aren't even the biggest problem. The bigger problem is password re-use," warns Deloitte.
It continues: "The average user has 26 password-protected accounts, but only five different passwords across those accounts. Because of password re-use, a security breach on a less-secure gaming or social networking site can expose the password that protects a bank account.
"This is exactly what happened in a series of breaches in 2011 and 2012, and there are now websites where tens of millions of actual passwords can be accessed."
While the kinds of passwords required to login to systems have been improved - six letters, all upper-case, is no longer acceptable - so has the hardware and password dictionaries used by attackers.
"A dedicated password-cracking machine employing readily available virtualisation software and high-powered graphics processing units can crack any eight-character password in five-and-a-half hours," says Deloite.
While such a machine might well cost some $30,000 (£20,000) today, "crowd hacking" can be used to distribute the task over thousands of machines, possibly compromised PCs and servers harnessed in a botnet.
Mobile passwords are typically even less secure because typing in a password is much more of a chore, and often has to be done every time someone wants to use their device - which is constantly powering down to save battery life.
Despite their shortcomings, Deloitte nevertheless recommends requiring even longer passwords, arguing that adding just one or two characters to the password can extend the time it takes to "brute force" crack it by almost a thousand times.
Companies ought to ensure that user names and passwords are never stored unencrypted, unhashed and unsalted. Salting, says Deloitte, is "a relatively simple and inexpensive technique [that] appends a random string of characters to the password each time the user enters it, effectively randomising the hash and making hacking the code orders of magnitude more difficult".
Password creation systems, furthermore, ought to have their own dictionaries of weak passwords to enable them to be rejected when proposed by users.
While single sign-on can help - one highly secure password governing access to multiple systems - it also creates a highly attractive honey pot for attackers.
Deloitte therefore recommends multi-factor authentication in which users still login with a user name and password, but must also use an additional form of authentication.
That might be typing in a code sent to their mobile phone, or a smart card or other device that needs to be plugged into the PC - although that might be difficult or expensive to deploy on mobile devices, such as Apple iPads.
"The idea is that, while a hacker might know your username and password, they are unlikely to also know your cell phone number or have a copy of your fingerprint... it makes cracking accounts far more difficult," says the report.
