In the midst of National Cybersecurity Month, researchers from Indiana University (IU) have revealed the results of a study that shows that requiring longer minimum password lengths helps prevent fraud.
When users sign up for services, oftentimes they will reuse the same password. If that site or service is breached, that means that password is potentially sitting on the web for anyone to see, explained Dan Calarco, CIO of IU and co-author of a new paper examining the practice of password reuse.
Researchers discovered that requiring longer and more complicated passwords makes it less likely that users will reuse passwords, the researchers explained in a paper titled “Factors Influencing Password Reuse: A Case Study.”
The study examined password policies from 22 different universities, including IU, in the United States, then extracted sets of emails and passwords from two datasets published online containing a combined 1.3 billion email address and password combinations. They then compared the passwords against the university’s password policy.
“Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites,” they wrote. “Other universities with fewer password requirements had reuse rates potentially as high as 40 percent.”
Following the report, the authors recommended the following policies to make passwords safer: increase the minimum password length to more than 8 characters, increase the maximum password length, disallow the user’s name or username inside passwords, and use multi-factor authentication.