Researchers Say Password Re-Use Isn’t All Bad

A paper published by Microsoft and researchers at Carleton University declare password re-use and weak credentials have their place for users managing multiple accounts.

Forget what you’ve been told about password re-use and weak credentials. If we’re to believe collaborating researchers from Microsoft and Carelton University, neither is such a bad idea.

Flying in the face of conventional pleading from experts that “password” is a bad password, new research puts the brakes on that notion, suggesting that password re-use, for example, must be part of a user’s strategy to manage a large number of log-ins.

“In practice, many users gather accounts into groups that re-use a password, but little guidance exists on choosing appropriate groups. Given that re-use does and will happen, we explore how to do so in a principled way,” researchers Dinei Florencio and Cormac Herley of Microsoft and Paul C. van Oorschot of Carleton University in Canada wrote in a paper titled: “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.”

In other words, focus strong password use on websites of higher value such as banking or health care, and re-use weaker passwords at will on sites where potential losses would be minimal.

“We find that optimally, marginal return on effort is inversely proportional to account values.”

“We find that optimally, marginal return on effort is inversely proportional to account values,” the researchers wrote. “We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea.”

The paper also takes password managers and cloud-based data storage protected by a single password to task because they create a single point of failure and come up short against brute-force, phishing or server breaches.

“If the master password is guessed or used on any malware-infected client, or the cloud store is compromised, then all credentials are lost,” the researchers wrote.

Just this week, popular password management software LastPass patched a vulnerability in the LastPass bookmarklet option that could have allowed an attacker to generate one-time passwords for a victim’s account. University of California at Berkeley researchers also published a paper this week citing critical vulnerabilities in LastPass as well as RoboForm, My1Login, PasswordBox and NeedMyPassword.

Rather than rely on a single point of failure guarded by a complex password, the researchers suggest first restructuring the problem by attack class. They define three: Full; Group; and Single. Full occurs when an attacker uses client-side malware, for example, to acquire all of a user’s password-protected accounts. Group compromises happen via phishing or brute-force attacks where the attacker steals a credential that might be shared among accounts. A Single, meanwhile, happens when an attacker does not acquire a password, but instead compromises a target account via cookie stealing or cross-site request forgery.

By understanding this classification, a user may then appropriate the complexity of passwords according to attack vector and tactics.

“We find that optimally, marginal return on effort is inversely proportional to account values,” the researchers wrote. “While the optimal strategy involves selective re-use and weaker passwords, benefits accrue only if the effort saved is re-deployed elsewhere for better returns. Users must not arbitrarily weaken and re-use passwords.”

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.


  • nobody important on

    Did anyone else literally LOL while reading this? How about groan/roll eyes?
  • somebody important on

    Yeah it's about to get ripped to shreds on Reddit:
  • maybe somebody important on

    ...and doctors recommended cigarettes at one time too. A meaningful oversight for the researchers is the fact that every site you setup an account on makes you put an email address, so even if you have a strong password protecting your valuable information, if your email account doesn't have one on it, then they can gain access to your information simply by resetting your password to something of their choosing. LastPass and services of the like are the only true mitigation against forgetting tons of complex passwords.
  • somebody important's mother on

    Yes, I prefer multiple points of failure. Much more secure than one big, strong, well guarded gate.
  • who really is important anyway? on

    "LastPass and services of the like are the only true mitigation against forgetting tons of complex passwords."
    Until of course they get hacked and now they have all my passwords plus the sites they go to. There's an old saying about this for a reason: "don't put all your eggs in one basket." Keeping every password to every site in a single application's service is probably no less risky than reusing passwords in a smart way. Perfect security is unattainable. There needs to be a balance between security and convenience that's based on reality and risk. These researchers may be right or they may be wrong, but at least they're starting with reality reality. It's a good place to start.
  • Lars on

    Well for me this study does not matter. I care about my online identity and use unique passwords even for sites which are not that important. For that I use a password manager as mentioned in the article, but I use Sticky Password.
  • Joe on

    This is just silly! Just use a password manager if you're too lazy to remember passwords. I use RoboForm and I couldn't live without it.
  • dave keays on

    I'm not going to reveal my pw policies here. But I will mention that the statement about people who can't remember passwords being "too lazy" is ignorant of reality.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.