Microsoft Research is going against everything Internet users have been told and lectured about over the past couple of years by encouraging the use and reuse of simple passwords.
“Our findings directly challenge accepted wisdom and conventional advice,” wrote Dinei Florencio and Cormac Herley of Microsoft Research, and Paul C. van Oorschot of Carleton University in “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts.”
Conventional password security advice tells users that their passwords should be random and strong, and shouldn’t be reused in other accounts. There is even a day devoted to encouraging people to change their passwords. This advice seems logical; if users have strong passwords it will be harder for hackers to obtain, but the researchers say this type of password practice is burdensome and often results in the user forgetting their password, which I can attest does happen (I can’t tell you the amount of times that I’ve had to click the “forgot your password” link and reset my password).
(Related: World Password Day )
“While significant attention has been devoted to motivating and helping users choose strong individual passwords, there is little guidance on how to choose and manage large numbers of them,” the researchers wrote.
The researchers recommend the use and reuse of weak and easily remember passwords, but not for every site. They suggest classifying passwords into two groups: one with high value and low probability of compromise and another with low value and high compromise. The first group would include sites that contain personal information like your online back account or email account. The second group includes websites and forums that don’t include any of your crucial information like sites that don’t require financial transactions.
“Any strategy that rules out weak passwords or re-use will be sub-optimal,” the researchers wrote. “We note that while password re-use must be part of an optimal portfolio strategy, it is no panacea. Far from optimal outcomes will result if accounts are grouped arbitrarily.”
For users who don’t want to reuse their passwords, other strategies to deal with the struggle of having to remember every password for every site include single sign-on use of email-based password reset mechanisms, and password managers, but the researchers point out that those strategies still face the risk an hack attack.
Users have to weigh how much security their account needs and how much effort they want to put into protecting them.
