It’s a potentially damaging practice, particularly for universities, with many student and faculty users and valuable assets all protected by passwords.
With this in mind, researchers at Indiana University have examined the practice of password reuse and posited ways to mitigate the risks associated with this insecure practice.
According to research conducted at the university, longer minimum passwords are the most effective way to reduce potential exposure in a third-party data breach, as well as prevent password reuse. The work being conducted by the group of researchers points to a simple way to foil criminals intent on breaking into university data.
Requiring longer and more complicated passwords resulted in a lower likelihood of password reuse, according to research findings from “Factors Influencing Password Reuse: A Case Study.” The authors of the paper are Jacob Abbott, an IU Bloomington Ph.D. student; Daniel Calarco, chief of staff for the IU Office of the Vice President for IT and CIO; and L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering.
To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including IU. The research then extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to university domains, passwords were compiled and compared against a university’s official password policy.
The findings were clear: Stringent password rules significantly lower a university’s risk of personal data breaches. Some highlights from the report:
- Passphrase requirements: a 15-character minimum length deterred the vast majority of IU users (99.98%) from reusing passwords or passphrases on other sites.
- Universities with fewer password requirements had reuse rates potentially as high as 40%.
- Analysis found that IU performed the best of the 22 examined universities — and had the most extensive password requirements.
“IU has worked with security and usability faculty to design our password policies, with the result being policies that value people’s time while mitigating risk,” says L. Jean Camp, professor in the IU Bloomington School of Informatics, Computing and Engineering. “The length and complexity are balanced by the extended period before new passwords must be generated and the use of a longer authentication time window for applications. Indiana University’s rollout of two-factor authentication is similarly a model.”
In addition to its findings, the researchers offer some recommendations to safeguard university personnel and the general public:
- Increase the minimum password length beyond 8 characters.
- Increase maximum password length.
- Disallow the user’s name or username inside passwords.
- Contemplate multi-factor authentication.
- Multi-factor authentication is becoming more common and usable. IU, for example, employs Two-Step Login. Multi-factor authentication may be a viable alternative to changing the length and complexity of password policies.