Microsoft study shows weak passwords and reuse not so bad

An interesting study from Microsoft Research has shown that using weak passwords and reusing them for various sites might not be so bad after all.

The study titled, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts” was written by Dinei Florencio and Cormac Herley from Microsoft Research and Paul C. van Oorschot, Carleton University, Ottawa, Canada. It points out that while everyone has been telling us all along that we should use strong passwords for everything we do and we should use unique passwords for every account, most of us don’t.

As the study says, “most users fall far short of following ‘traditional’ advice on password strength. Evidence also indicates widespread password re-use. While admonitions against this are almost universal, ignoring that advice seems equally universal. Clearly, users find managing a large password portfolio burdensome. Both password re-use, and choosing weak passwords, remain popular coping strategies.”

The study then goes into great length examining how the traditional approach might not always be the best approach.

“Our findings directly challenge some conventional wisdom. For example, we find: strategies that rule out password re-use or the use of weak passwords are sub-optimal. Both are valuable tools in balancing the allocation of effort between higher and lower value accounts.”

The report basically recommends that users would be better off if they group accounts by level of danger. Accounts that contain sensitive information like banking, business or other financial information should have unique, strong passwords that are not reused elsewhere, while casual accounts that have no financial information could use easier to remember passwords.

It makes sense on the surface. Trying to manage a large number of unique, hard to remember passwords is difficult and a lot of people end up writing down all those passwords in a text document stored somewhere on their computer – a practice that is, as the report states, another ‘sub-optimal’ solution.

So, if you’re logging on to Marvel Comics fan site or signing up for a cupcake of the week email newsletter go ahead and use your favorite pet’s name but try to come up with something a bit more original for your banking or online bill paying accounts.

The report delves into a lot of heavy statistical math and isn’t really intended for casual reading but if you are fond of equations you can read the full report here.