Is It Safe to Reuse Passwords?

Many Americans use dozens of online websites that require a password. Traditionally experts have offered two pieces of advice about passwords: first, strong passwords are those with random characters and second, avoid using the same password for different accounts. Most Internet users manage an increasingly large portfolio of password-protected accounts. It is a nearly impossible task to remember a long-string of alphanumeric characters.

Dinei Florencio and Cormac Herley from Microsoft Research and Paul van Oorschot of Carleton University recommend a more realistic approach in their paper, Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts. They argue that it’s fine for most users to ignore the conventional wisdom. Instead, they present evidence that both password reuse and “weak” passwords can make it easier to access accounts online. 

A Tiered Password System

Users find it burdensome to manage a large portfolio of passwords. Creating a strong password for every account (including blog sites and throw-away accounts) is a unique, modern-day dilemma. These researchers argue that users should organize their passwords into tiers, based on the level of important information they contain. According to Florencio, Herley and van Oorschot, it is acceptable to reuse weaker passwords for websites that do not contain secure, important information. However, it is still prudent to use unique, strong passwords for websites containing the high-value information, like banks.

XKCD: Password Strength


Source: XKCD

Randall Munroe who created the above webcomic, demonstrates the added value of using a different approach to developing passwords. A short randomized password is actually pretty easy for an attacking computer to guess and extremely difficult to remember. A password composed of words associated with an inside joke you share with your spouse, for instance, is much easier to remember, as well as more secure.

In the future, the number of passwords the average user must remember will increase. But, the research from Florencio, Herley, and van Oorschot suggests that a better strategy is to spend time and effort on creating unique, strong passwords for only the most critical sites and reuse weaker passwords for less important sites.