The solution to password recycling may be easier to implement than previously thought, according to a recent paper
A team of three academics from Indiana University set out to examine the impact of prescribing rules for password creation on password reuse. To do so, they first analyzed the password policies of 22 universities in the US. Then they dived into 1.3 billion username/password combinations that are available online as a result of past breaches. In the process, they found close to 7.4 million login credentials where the email addresses belonged to the domain name associated with universities.
“Based on email addresses belonging to a university’s domain (we checked the .edu domain address), passwords were compiled and tested against a university’s prescribed password policy,” said the researchers.
In the end, they found that the higher the prescribed minimum length of a password or passphrase, the lower the likelihood that it would be reused on another site.
“There is a distinct trend of having a higher minimum length required reducing the likelihood of reuse across multiple universities,” according to the key finding in their study, called “Factors Influencing Password Reuse: A Case Study”.
With its requirement for a 15-character minimum length, Indiana University (IU) performed the best. As summed up by L. Jean Camp, who is one of the three researchers behind the paper, the requirement for a password or passphrase to be at least 15 characters long deterred nearly all IU users (99.98 percent) from recycling it on other sites.
“Other universities with fewer password requirements had reuse rates potentially as high as 40 percent,” she said. “Fewer password requirements” here means that the password needs to contain only a minimum of seven characters and that no more than a mix of letters and digits is required.
Indeed, much the same picture was painted when it comes to password complexity. The universities that prescribed more complex passwords had a far lower likelihood of password reuse than those that were less stringent. In this case, the highest complexity rating was equivalent to at least one lowercase letter, one uppercase letter, one digit, and one special character.
Based on their findings, the researchers suggested four recommendations to organizations and the public at large – increase minimum password length beyond eight characters, increase the ceiling on password length, disallow the user’s name or username inside passwords, and consider adopting multi-factor authentication.