Study Reveals That Stringent Password Policies Protect Against Fraud
Marie Donlon | October 18, 2018
Users today are required to keep track of a huge number of email addresses and passwords, so it’s no wonder most are reused from account to account. However, the practice of reusing that same password to log into different websites could have catastrophic consequences.
"If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see," said Indiana University's Dan Calarco, co-author on a new paper that examines the practice of password reuse.
As such, researchers from Indiana University have devised a method for foiling attempts to break into university data using recycled passwords.
"We found that requiring longer and more complicated passwords resulted in a lower likelihood of password reuse," the authors wrote in the paper, Factors Influencing Password Reuse: A Case Study.
Looking at password policies governing 22 different universities throughout the United States, researchers collected sets of emails and passwords from datasets available online that held more than 1.3 billion email address and password combinations. Looking at email addresses that belonged to a particular university’s domain, researchers compiled passwords and measured them against each university’s official password policies.
Unsurprisingly, the team discovered that universities lowered their risk of personal data breaches the more stringent their policies governing password creation were.
"Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites," they wrote. "Other universities with fewer password requirements had reuse rates potentially as high as 40 percent." Their analysis found that IU performed the best of all 22 universities, with the most extensive password policy requirements.
"IU has worked with security and usability faculty to design our password policies, with the result being policies that value people's time while mitigating risk," said L. Jean Camp, a professor in the IU Bloomington School of Informatics, Computing and Engineering. “The length and complexity are balanced by the extended period before new passwords must be generated and the use of a longer authentication time window for applications. Indiana University's rollout of two-factor authentication is similarly a model."
Among the suggested practices for creating and safeguarding passwords, the IU team recommends increasing password length beyond the commonly-used eight characters; prohibiting usernames inside passwords and considering multi-factor authentication.
"Our recommendations are not only applicable for universities, but also can be used by other organizations, services or applications," they wrote.
Yes, because once the passwords become so difficult to remember, people just start writing them all down. Doh!