Last Updated on January 17, 2024
It’s hard to remember a bunch of different passwords, which is why people habitually reuse them—despite the obvious security risks. A recent survey by the password manager vendor LastPass revealed that, while 91% of respondents knew it was risky to reuse passwords, 61% admitted doing it regardless.
In another recent study that analyzed a database of over 28 million users and passwords, 52% had the same passwords (or extremely similar ones) for multiple services. Online shopping services and email accounts topped the list of sites where password reuse was rampant.
The Business Risk of Password Reuse
Reusing passwords is bad enough in the personal realm, where it can lead to a cascade of compromised credentials resulting in fraud across banking, retail, social media and entertainment sites. But the stakes are even higher for organizations with many users and sensitive information assets to protect.
When employees or students reuse their corporate or university email address and password on social or consumer sites and one of these is breached (as they so often are), that opens doors to organizational systems that hackers are quick to exploit.
The Data Behind Longer Passwords
But researchers at Indiana University have uncovered a strong—if somewhat counter-intuitive—correlation between password policy and password reuse: requiring longer and more complex passwords greatly reduces the incidence of password reuse.
15-Character Minimum Length
Their research showed that requiring 15-character minimum passphrases for university systems deters over 99% of users from reusing passwords on other sites. Weaker password requirements resulted in the reuse of organizational passwords as high as 40%. Presumably, this is because the longer passphrases are less convenient to reuse than shorter passwords.
Balancing Length, Complexity, and Reset Requirements
The latest NIST guidance recommends that password policies balance greater length and complexity requirements against longer periods before requiring new passwords. Requiring too-frequent password changes, as well as high password complexity (mixtures of uppercase letters, symbols, numbers, etc.), have both been shown to result in weaker passwords.
Some further tips from the study include:
- Increase your minimum password length well beyond eight characters
- Increase your maximum password length
- Screen new passwords against lists of commonly used or easily compromised passwords
- Prevent usernames from being “reused” within passwords
- Move to multifactor authentication (MFA) as soon as possible
Organizations Must Be Vigilant
In an environment where attacks are continuously escalating and employees’ cybersecurity hygiene may actually be getting worse, organizations need to do everything possible to reduce risk from “human error.”
To discuss your current password policy in a holistic, risk-based context, contact Pivot Point Security.