How to Stop People From Reusing Passwords on Different Websites

stop password reuse

One of the main security-related problems in recent years has been how to stop people from using the same password for every website and app. I think it's fair to say everyone has been guilty of this at some point. Why fix what isn't broken, right? Well, because it can save you from a massive online hack and data leak, that's why. Reusing the same password for multiple websites all but guarantees that if one of your accounts gets hacked all of the others will be hacked.

Sadly, just telling people what to do or what not to do won't work. Some people think their passwords are too good and they're invulnerable, others just can't be bothered to change their passwords or think of new passwords for every website they go to. But is there another way?

A new study from the Indiana University (IU) named "Factors Influencing Password Reuse: A Case Study", may have an answer. According to the study, the answer may be a simple one, just get websites to set policies that require longer and more complex passwords. The IU researchers reached this seemingly straightforward conclusion after some research about the overabundance of password reuse at over 20 US universities - and that number includes the IU itself by the way.

First, the researchers studied the universities' official password policies. They paid close attention to the important variables like length of the passwords and characters used. They also checked if reuse of old passwords was allowed, and whether password had an expiration date.
Afterward, they went through a database with over 1.3 billion known breached passwords. The researchers were checking for email addresses that connected to these university domains. Perhaps not surprisingly they found that approximately 7.3 million credentials on the list were connected.

The data makes it clear that a huge amount of university emails were breached. The question is how many of the breached emails were hacked due to reused passwords and how many were breached due to other factors? While it's not possible to say with 100% certainty, it can be assumed that if a password shows up in a public database it has likely been used in several places, just because it's virtually impossible for all of these to have been stolen from the universities alone.

How to prevent password reuse

The researchers discovered that by associating the leaked passwords to each university's official password policy that the universities with more strict password policies were considerably less likely to pop up in the public databases.
Indiana University had an especially low password reuse rate because of its tough requirements, which made the authors conclude that:
Password length requirements should be at least 15-character minimum. This prevents almost all of IU users (99.98 percent to be exact) from reusing the same passwords or passphrases on other websites. On the other hand, universities with low length requirements endured much higher password reuse rates, some as high as 40%, according to the study.

The conclusion of the paper appears to be that longer and more complex passwords are much harder to remember, which in turn has the effect of making them less likely to be reused. Or, more simply put, if all websites had such strict and demanding policies, using the same password would become so much of a hassle that the average user wouldn't bother with it.

What else can I do to protect my accounts from password reuse

Another, possibly more efficient solution would be to use a proven password manager. Cyclonis Password Manager comes with many useful tools and utilities, including a Password Analyzer and a Password Generator. The Password Analyzer can grade any password you think up based on it length and complexity along with other factors (like reuse) to make sure you're using a strong enough password. Meanwhile, the Password Generator feature will allow you to automatically create super strong and hard to guess passwords with a click of a button. The best part is that you don't even have to remember or write down your passwords (apart from the Master Password, of course) because CPM will remember everything for you. CPM also has an abundance of other useful tools, like sync across all devices, Two-Factor Authentication, qualified tech support, Cloud storage and so much more.

December 6, 2018

Leave a Reply