To Re-use, or Not to Re-use, That is the Password Question

Posted by Pete Jul.23, 2014 in Passwords & Security

fb-post48Humans tend to look for the easy way out – it’s in our DNA. That’s right, we’re lazy. Before you get upset at us for being so direct, remember that this is what leads to innovation and most energy- and time-saving inventions like the wheel, sliced bread, dishwashers and the computer or smart device that you’re reading this on.

This desire to simplify applies just as much to language as it does to labor-saving devices. We all use these simplifications every day. Take contractions, for example: of which, can’t and won’t, instead of cannot and will not, are just two simple illustrations.

Taking shortcuts with our passwords is just a recent example of the ways we humans go to great lengths to make things easy for ourselves. It’s true that passwords have been around for a long time, but it’s only recently that they’ve come into such broad use that masses of people have discovered the need to create subtle and some not-so-subtle ways of improving them – i.e. making them easier to remember and use.

The problem is that making passwords easier for ourselves goes against their very purpose: easy passwords make for less security because someone could guess them and gain unauthorized access.

Also, accepted knowledge says that we should have a unique password for each of our online accounts. But, like Wile E. Coyote creating contraptions out of ACME components, the human mind is always looking for ingenious ways around this. The more accounts we have, the more likely we are to re-use our increasingly simple passwords across our accounts. And that also makes for less security. Foiled again by our own inventiveness – cue anvil falling on our heads!

These are the issues that a team of researchers (Dinei Florencio, Cormac Herley, and Paul C van Oorschot) address head-on in their paper Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts that will be presented at the USENIX Security 2014 conference in San Diego Aug 20-22.

After listing the two cardinal rules of passwords:

Passwords should be random and strong; and

Passwords should not be re-used across accounts,

the team explain “that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal.” The authors’ basic theory is that the use of weak passwords or re-using passwords on multiple sites can be a satisfactory, even recommended, approach to managing your passwords.

The authors do a very nice job of using the current password literature to show that people are indeed using “coping” mechanisms in their day-to-day password practices. By coping mechanism, we must understand that they mean simplification. Like water finding its own level, it’s human nature that we tend to seek out the easiest way of doing things.

The study focuses on the number of characters and the number accounts that need to be remembered. Mathematical models are used to show that the number of bits – correlated to the difficulty to remember some set of passwords – does indeed decrease when using fewer passwords for a given set, with a minimal or acceptable decrease in security. (It should be noted that various limitations of the models are mentioned.)

This surely is an important element to be considered, but it isn’t the only factor. While surely mathematically accurate, this seems to be mostly a math exercise, and not necessarily a useful indicator for our real-life dependence on passwords.

The problem is the real world circumstances in which we find ourselves when creating and trying to recall passwords, frequency of use, etc. For example, most of us are in a rush when creating a password. The creation of a password (entered twice to make sure we remember it!) is interfering with the actual task that we are focused on: making a purchase, registering for an event or simply signing up for access to a website. The list of external factors goes on and on.

These factors will most surely interfere with any scheme – new or old!

The authors present a grouping strategy that they believe will equip typical users with rules for appropriate categories for their passwords in such a way that they will be able to make good decisions about sharing passwords.

The authors also touch on “password concentrators” such as password managers, but only peripherally. While suggesting some of the shortcomings of password concentrators, they do not go into any depth to show whether the trade-off with using such tools (like our friend Wile E. Coyote) may be an adequate remedy.

Our primary concern is that the recommendations made by the team are bound to encourage poor password hygiene. Most people are not going to expend the effort to understand, much less follow, a new set of rules to manage the short cuts they are already taking.

We fear that human nature being what it is, people will quickly implement new coping mechanisms that will further undermine their security. And so they will likely suffer as they mix and match passwords and accounts.

In the end, all that most people will hear of the paper is that it’s OK to re-use passwords across their accounts. Cue anvil falling on our heads!

The authors do, in closing, temper their recommendation. We agree that, in order for the new rules to work, the energy that will be saved from trying to remember strong, unique passwords for each account will be needed elsewhere:

While the optimal strategy involves selective re-use and weaker passwords, benefits accrue only if the effort saved is re-deployed elsewhere for better returns.

Uh oh, it seems that it will take some amount of work to use the new scheme. And that sounds like an opening for our human ingenuity…