Is this the simple solution to password re-use?

Persuading people not to reuse the same password across multiple websites has become one of security’s big head-scratchers.

Asking people not to do something only gets you so far – because there will always be people who think it doesn’t apply to them, or who simply can’t be bothered.

But might there be a simpler fix? A new Indiana University (IU) study, Factors Influencing Password Reuse: A Case Study, thinks it has hit on an answer that’s been hiding in plain sight for years –  set policies that mandate longer and more complicated passwords.

It sounds too good to be true, but the researchers arrived at this disarmingly straightforward recommendation after using some slightly involved inference about the level of password reuse at 22 US universities, including IU itself.

First, they analysed the institutions’ published password policies, paying attention to variables such as length and character type, whether the reuse of previous passwords was possible, and whether they expired.

Next they combed a database of 1.3 billion known breached credentials, looking for email addresses connected to one of these university domains – and discovered 7.3 million that were connected.

Clearly, large numbers of university credentials had been breached, but how many had been breached because they’d been reused elsewhere in conjunction with a university email address?

It’s impossible to be certain, but if a password turns up in a public database it’s probably been used in multiple places, simply because it’s unlikely that all of these were stolen directly from the university in question.

However, by correlating breached credentials to each university’s password policy, the researchers established that the institutions with more demanding policies were less likely to appear in the public data.

IU had a particularly low password reuse rate thanks to its tough requirements, which leads the authors to the conclusion that:

Passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites.

Conversely, universities with lower requirements suffered password reuse rates of up to 40%, they wrote. And, of course:

Our recommendations are not only applicable for universities, but also can be used by other organizations, services or applications.

The discovery here seems to be that longer and more random passwords are harder to remember, which has the effect of making them harder to reuse.

Put another way, if every website had similarly demanding policies, reusing passwords might become too inconvenient to bother with.

One might argue that the problem could be bypassed with more and better authentication – although that’s easier said than done given that people tend to ignore authentication when it’s offered to them, for example, to protect their Gmail accounts.

This is what makes the IU team’s discovery interesting – perhaps password reuse isn’t the intractable problem it’s often presented as being and a simple change of password policies is a cheap upgrade that organisations could implement now.

It is, at least, a more practical solution perhaps than the University of North Carolina proposal that websites start checking passwords with a central database, implemented using homomorphic encryption.