Better password policies could result in less credential reuse, academics find

New research points to complex passwords being less used across multiple services

The word password among code

Requiring longer and more complicated passwords could prevent people from using them in multiple websites and online services, according to new research.

According to a research paper from scientists at Indiana University, overcoming password reuse on such services could be easier than imagined. The researchers looked at the password policies of 22 universities in the US as well as 1.3 billion email addresses and passwords obtained from Exploit.in and Anti-Public combination lists.

Advertisement - Article continues below

From the 1.3 billion credentials found in the Exploit.in and AntiPublic datasets there were nearly 7.4 million email addresses associated with .edu domains.

Based on email addresses belonging to academic institutions, passwords were compiled and tested against a university's prescribed password policy. They discovered that longer, more complicated passwords or passphrases are ultimately less likely to be reused on other sites.

"Similar to length, there is a distinct trend towards higher complexity having a lower likelihood of being reused," said the researchers. One of the best performing universities in the research was Indiana University with a password a minimum requirement of 15 characters. This discouraged nearly all its users (99.98%) from reusing the same password on other sites.

"Additionally, we found that the majority of password policies were difficult to very difficult to read and understand according to the Flesch reading scale and typically have a literacy requirement of high school level."

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The researchers recommended that organisations should Increase the minimum password length beyond 8 characters; increase maximum password length; disallow the user's name or username inside passwords; and contemplate multi-factor authentication.

"Our recommendations are not only applicable for universities, but also can be used by other organisations, services or applications," researchers said.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement

Recommended

Visit/security/28026/what-is-a-ddos-attack
Security

What is a DDoS attack?

8 Jul 2020
Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Visit/business/business-operations/356395/nvidia-overtakes-intel-as-most-valuable-us-chipmaker
Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/server-storage/servers/356083/the-best-server-solution-for-your-smb
Sponsored

The best server solution for your SMB

26 Jun 2020