Security

Study: Too Many Users Reuse Passwords

Study finds high rate of password reuse among users

You may have a remarkably strict password policy in place at your organization, requiring a long string of letters, numbers, and special characters. Unfortunately, those policies become far less effective if you use a similar or identical password for, say, logging in to Facebook or Amazon.com or any other Web site. If a malicious hacker is able to get his or her hands on a user's password credentials for one domain, said hacker has a good starting point for figuring out the user's password for other sites.

Joseph Bonneau, a researcher from the University of Cambridge, studied just how rampant the problem of password reuse might be, and his conclusion is that it might be far worse than previous studies have indicated.

Bonneau compared recently stolen login information for two different Web sites, rootkit.com and gawker.com. Between the two sets of data, he found an intersection of 456 legitimate email addresses, and the password reuse rate among those address was at least 31 percent. The figure could be as high as 43 percent -- or even 49 percent if you count the use of similar passwords, such as instances where the different characters are capitalized (Hello vs. hEllO) or a number appended to the password (Hello vs. Hello1).

To put that in perspective (and taking into account that there is a margin of error of plus or minus 5 pecent), it means that if a hacker manages to steal a users login info and password, there's as much as a one in two chance that said hacker will have the key (or a close fit) to said user's other secured accounts. Previous studies, according to Bonneau, have put the password reuse rate at 20 percent or less.

Importantly, though, Bonneau's study is but a snapshot comparing password reuse among relatively low-security, low-value accounts; these aren't financial or personal email websites, for example. Maybe users are more cautious when their credit standing or private communications are at stake. More study is needed, Bonneau notes.

Still, this might be a good wakeup call for organizations that currently have relatively lax password policies or where users access different domains for work purposes: IT departments might at least consider warning users to never reuse their work-related passwords for any of their personal accounts.

This story, "Study finds high rate of password reuse among users," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

Subscribe to the Security Watch Newsletter

Comments