Global consulting firm Deloitte released a report recently with an alarming prediction: More than 90 percent of user-generated passwords will be vulnerable to hacking.  The report, prepared by Deloitte’s Canadian Technology, Media & Telecommunications arm, said even those passwords traditionally considered strong — with eight characters and a combination of numbers, letters and symbols — are at risk.

Most people have been told that a strong eight-character password — with a number or two and a random symbol — is sufficiently secure for even relatively high-value financial transactions. Such a password chosen from all 94 characters available on a standard keyboard is one of 6.1 quadrillion possible combinations. It would take about a year for a relatively fast 2011 desktop computer to try every variation, Deloitte says.

And because the longer and more @, * and % symbols are in passwords, the harder they are to remember. So many end up using a very small subset of those possible combinations — which makes user-generated passwords susceptible to getting cracked.

“Most people put a capital letter at the beginning, and if you use a symbol, you probably use an exclamation mark,” says Richard Lee, national managing partner in Deloitte’s Technology, Media & Telecom group.

Deloitte cites a recent study of 6 million user-generated passwords; the 10,000 most common passwords would have accessed 98 percent of all accounts.

The bigger problem, however, is password re-use, says Lee. A study by credit-checking firm Experian last year found that the average user has 26 password-protected online accounts but uses only five different passwords.

So for those who use the same password for their bank account online as for their PlayStation account, a security breach at the gaming site could expose the password that protects their bank account.

Deloitte notes advances in the hardware used to crack passwords that have made sensitive information increasingly vulnerable. One of these includes so-called brute-force attacks, which applies each of the 6.1 quadrillion combinations for an eight-character password until one works.