News

Better password policies could result in less credential reuse, academics find

New research points to complex passwords being less used across multiple services

23 Oct 2018

.polaris__post-meta--date { display: none; } .polaris__post-meta--date.no-script { display: block; padding-left: 45px } 23 Oct 2018

Password is seen in a maginfying glass written in green text while surrounded by binary code written in blue text

Shutterstock

Requiring longer and more complicated passwords could prevent people from using them in multiple websites and online services, according to new research.

According to a research paper from scientists at Indiana University, overcoming password reuse on such services could be easier than imagined. The researchers looked at the password policies of 22 universities in the US as well as 1.3 billion email addresses and passwords obtained from Exploit.in and Anti-Public combination lists.

From the 1.3 billion credentials found in the Exploit.in and AntiPublic datasets there were nearly 7.4 million email addresses associated with .edu domains.

Based on email addresses belonging to academic institutions, passwords were compiled and tested against a university's prescribed password policy. They discovered that longer, more complicated passwords or passphrases are ultimately less likely to be reused on other sites.

Building a better password

"Similar to length, there is a distinct trend towards higher complexity having a lower likelihood of being reused," said the researchers. One of the best performing universities in the research was Indiana University with a password a minimum requirement of 15 characters. This discouraged nearly all its users (99.98%) from reusing the same password on other sites.

"Additionally, we found that the majority of password policies were difficult to very difficult to read and understand according to the Flesch reading scale and typically have a literacy requirement of high school level."

The researchers recommended that organisations should Increase the minimum password length beyond 8 characters; increase maximum password length; disallow the user's name or username inside passwords; and contemplate multi-factor authentication.

"Our recommendations are not only applicable for universities, but also can be used by other organisations, services or applications," researchers said.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1638974102/itpro/Whitepaper%20covers/Diligent_Modern_Governance_cover.png { display: none !important; }

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1622545081/itpro/Whitepaper%20covers/Cloud_Op_Excellence.jpg { display: none !important; }

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1638982070/itpro/Whitepaper%20covers/board_management_software_thumb.png { display: none !important; }

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

.imgHideOnJavaScriptDisabled_https://media.itpro.co.uk//image/upload/f_auto,t_resource-card-mobile@1/v1638972797/itpro/Whitepaper%20covers/content_syndication_story_idc_business_brief_adw__1_.jpg { display: none !important; }

Download now