Sophos Cloud Optix
Persuading people not to reuse the same password across multiple websites has become one of security’s big head-scratchers.
Asking people not to do something only gets you so far – because there will always be people who think it doesn’t apply to them, or who simply can’t be bothered.
But might there be a simpler fix? A new Indiana University (IU) study, Factors Influencing Password Reuse: A Case Study, thinks it has hit on an answer that’s been hiding in plain sight for years – set policies that mandate longer and more complicated passwords.
It sounds too good to be true, but the researchers arrived at this disarmingly straightforward recommendation after using some slightly involved inference about the level of password reuse at 22 US universities, including IU itself.
First, they analysed the institutions’ published password policies, paying attention to variables such as length and character type, whether the reuse of previous passwords was possible, and whether they expired.
Next they combed a database of 1.3 billion known breached credentials, looking for email addresses connected to one of these university domains – and discovered 7.3 million that were connected.
Clearly, large numbers of university credentials had been breached, but how many had been breached because they’d been reused elsewhere in conjunction with a university email address?
It’s impossible to be certain, but if a password turns up in a public database it’s probably been used in multiple places, simply because it’s unlikely that all of these were stolen directly from the university in question.
However, by correlating breached credentials to each university’s password policy, the researchers established that the institutions with more demanding policies were less likely to appear in the public data.
IU had a particularly low password reuse rate thanks to its tough requirements, which leads the authors to the conclusion that:
Passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites.
Conversely, universities with lower requirements suffered password reuse rates of up to 40%, they wrote. And, of course:
Our recommendations are not only applicable for universities, but also can be used by other organizations, services or applications.
The discovery here seems to be that longer and more random passwords are harder to remember, which has the effect of making them harder to reuse.
Put another way, if every website had similarly demanding policies, reusing passwords might become too inconvenient to bother with.
One might argue that the problem could be bypassed with more and better authentication – although that’s easier said than done given that people tend to ignore authentication when it’s offered to them, for example, to protect their Gmail accounts.
This is what makes the IU team’s discovery interesting – perhaps password reuse isn’t the intractable problem it’s often presented as being and a simple change of password policies is a cheap upgrade that organisations could implement now.
It is, at least, a more practical solution perhaps than the University of North Carolina proposal that websites start checking passwords with a central database, implemented using homomorphic encryption.
If everyone had a 22-character password requirement, why wouldn’t people reuse their 22-character password?
I was thinking the same thing. It appears to me the findings only work because most places don’t require long passwords, so users aren’t going to reuse their long password when they can use a shorter one. If everyone increase their minimum password length to solve the problem we would just end up back where we are currently.
It’s a question of trade-offs – at what point does it become worth it to learn a long password to avoid having to use lots of different ones instead?
If that meant 12-character random passwords, your assumption sounds plausible. At 22 characters, I’m less convinced.
I agree.
The one time we saw a password dump on PasteBin (leaked from a 3rd party website) that included some of our email addresses, those leaked passwords were much shorter than what we use internally. I was able to confidently report to my manager that there was negligible risk to the business because it was not possible for those leaked password to match our internal passwords. This only works because so many 3rd party sites/services require a short password (ie. 6-8 characters) and re require longer password (minimum 12 characters). If longer passwords were the norm, we’d have to up the ante again to ensure password reuse did not occur.
“The discovery here seems to be that longer and more random passwords are harder to remember, which has the effect of making them harder to reuse.”
I feel like this might be counter-intuitive – if you have a hard password to remember, you are more likely to use it more often. simply because you would then need to remember fewer of them.
I just don’t see the logic in that statement. Seems to me that requiring lengthy passwords would lead people to reuse them even more, simply because it’s much easier to memorize ONE password than to memorize a slew of them!
Clearly, if you are determined to use the same password then using one long one is the same as using one shorter one. The point is the length creates a modest barrier that might push more people to save unique passwords using their browser, say.
I personally think that there are far too many websites asking for passwords. There are very few organisations/companies that I actually want an account with
+1
I’m on the bus (or the train, or in a coffee shop) that is offering free Wi-Fi – hardly a big prize these days – so I go to connect, expecting and willing to give away an email address and to receive a welcome email, which seems fair enough…
…and next thing I know they want me to invent a secure password, create an account (ever tried to find how you close the account when you’re done?), and so on. It’s like being invited to join a pick-up game of {cricket, football, touch rugby} in the park and then finding out that before you can touch the ball you have to join a formal sports club. Kind of a collision of worlds…
The takeaway here should not be that requiring long passwords reduces re-use, but rather that having *unique* (or even just unusual) requirements does so.
Seems like the researchers are confusing correlation with causation. The length requirements seem to be an indirect contributor to the passwords not being reused. If all, or even just a significant share of websites required similarly long passwords, they would definitely be reused.
If all websites had unique requirements (irrespective of short or long) then there would be no re-use. Unfortunately, this would require coordination between websites, which might even let to *weaker* passwords.
I agree. This research seems like a bunch of unprovable conclusions to me. What if sites that you can’t avoid using (e.g. to access benefits or complete a college course) that force you to get serious about passwords simply have the effect of persuading to you adopt a password manager? Once you do that, you’re unlikely to reuse passwords any more, and every password will be a good one, and that explains everthing, too.
I suspect those long passphrase passwords are not being reused because most sites do not require long passwords. That means people are free to reuse their shorter passwords even when they have to use long passwords on some sites. In other words, they have a short password that they reuse on as many sites as they can and use long passwords when they are forced to. I think people would reuse long passwords if most sites required long passwords.
In other news*, a recent study showed that Indiana University had the highest rate of passwords on Post-It Notes pasted on monitors.
* satire, in case you couldn’t tell.
I think the research proves that no one wants to use complicated passwords. So unless forced too, they don’t (since they’re harder to remember), which would account for their infrequent re-use. If *everyone* was forced too use one, they’ll be more inclined to re-use, since its difficult to remember and therefore much much easier to re-use. Its no different to when case sensitive and then complicated passwords were enforced, people just made up a general complicated password to use.
But as Paul mentioned below, it might have an upside to encourage people to use a password manager.
IMHO the best thing sites and companies/institutions can do in the interim (until passwords are reolaced) is force people to use password managers, whether at work, study or even institutions (such as banks, utilities, Govt, etc). Employers should force password managers on devices by default. Financial institutions should offer a free/subsidized password manager (and even offer incentives such as fee reductions, better interest rate, free premium service upgrade, etc) along with 2fa/TOTP, as it’s in their interest as well (you’d assume also a reduction in cyberfraud insurance premiums) . Of course Govt should also encourage this as they should be leading by example. When people get used to password managers, they’ll use them.
But longer, more complicated passwords? Give me a break, Passwords are like a VHS tape. Making a 10hr VHS tape won’t fix the problems with VHS. We’ve moved on from VHS, and we should move on passwords, especially ones created by people.
The answer to password re-use, as correctly mentioned above, is a password manager. Since I started using KeePass (so long ago I don’t remember NOT having it), I haven’t had the inclination to re-use a password, even on sites I know I’m going to delete my account from the same day. The password generator in KeePass is great, and if there’s an issue with what a particular site requires (I’ve had sites complain my password was too long), you can modify the password generator to match that sites requirements pretty easily. I have it installed on all of my systems, and I also have the portable version on a USB key. Keeping the password vaults synced was a chore when I started using it, but it’s been updated and is fairly simple now. Of course, you also have the option of using a keyfile, so accessing your password vault from Dropbox, iCloud, OneDrive, etc. is no longer an issue either.