Researchers Say Password Re-Use Isn’t All Bad

A paper published by Microsoft and researchers at Carleton University declare password re-use and weak credentials have their place for users managing multiple accounts.

Forget what you’ve been told about password re-use and weak credentials. If we’re to believe collaborating researchers from Microsoft and Carelton University, neither is such a bad idea.

Flying in the face of conventional pleading from experts that “password” is a bad password, new research puts the brakes on that notion, suggesting that password re-use, for example, must be part of a user’s strategy to manage a large number of log-ins.

“In practice, many users gather accounts into groups that re-use a password, but little guidance exists on choosing appropriate groups. Given that re-use does and will happen, we explore how to do so in a principled way,” researchers Dinei Florencio and Cormac Herley of Microsoft and Paul C. van Oorschot of Carleton University in Canada wrote in a paper titled: “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.”

In other words, focus strong password use on websites of higher value such as banking or health care, and re-use weaker passwords at will on sites where potential losses would be minimal.

“We find that optimally, marginal return on effort is inversely proportional to account values.”

“We find that optimally, marginal return on effort is inversely proportional to account values,” the researchers wrote. “We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea.”

The paper also takes password managers and cloud-based data storage protected by a single password to task because they create a single point of failure and come up short against brute-force, phishing or server breaches.

“If the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credentials are lost,” the researchers wrote.

Just this week, popular password management software LastPass patched a vulnerability in the LastPass bookmarklet option that could have allowed an attacker to generate one-time passwords for a victim’s account. University of California at Berkeley researchers also published a paper this week citing critical vulnerabilities in LastPass as well as RoboForm, My1Login, PasswordBox and NeedMyPassword.

Rather than rely on a single point of failure guarded by a complex password, the researchers suggest first restructuring the problem by attack class. They define three: Full; Group; and Single. Full occurs when an attacker uses client-side malware, for example, to acquire all of a user’s password-protected accounts. Group compromises happen via phishing or brute-force attacks where the attacker steals a credential that might be shared among accounts. A Single, meanwhile, happens when an attacker does not acquire a password, but instead compromises a target account via cookie stealing or cross-site request forgery.

By understanding this classification, a user may then appropriate the complexity of passwords according to attack vector and tactics.

“We find that optimally, marginal return on effort is inversely proportional to account values,” the researchers wrote. “While the optimal strategy involves selective re-use and weaker passwords, benefits accrue only if the effort saved is re-deployed elsewhere for better returns. Users must not arbitrarily weaken and re-use passwords.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.