Microsoft study shows weak passwords and reuse not so bad

An interesting study from Microsoft Research has shown that using weak passwords and reusing them for various sites might not be so bad after all.

The study titled, “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts” was written by Dinei Florencio and Cormac Herley from Microsoft Research and Paul C. van Oorschot, Carleton University, Ottawa, Canada. It points out that while everyone has been telling us all along that we should use strong passwords for everything we do and we should use unique passwords for every account, most of us don't.

Related: Cortana picks 10 out of 16 NFL games

As the study says, “most users fall far short of following ‘traditional’ advice on password strength. Evidence also indicates widespread password re-use. While admonitions against this are almost universal, ignoring that advice seems equally universal. Clearly, users find managing a large password portfolio burdensome. Both password re-use, and choosing weak passwords, remain popular coping strategies.”

The study then goes into great length examining how the traditional approach might not always be the best approach.

“Our findings directly challenge some conventional wisdom. For example, we find: strategies that rule out password re-use or the use of weak passwords are sub-optimal. Both are valuable tools in balancing the allocation of effort between higher and lower value accounts.”

The report basically recommends that users would be better off if they group accounts by level of danger. Accounts that contain sensitive information like banking, business or other financial information should have unique, strong passwords that are not reused elsewhere, while casual accounts that have no financial information could use easier to remember passwords.

It makes sense on the surface. Trying to manage a large number of unique, hard to remember passwords is difficult and a lot of people end up writing down all those passwords in a text document stored somewhere on their computer – a practice that is, as the report states, another ‘sub-optimal’ solution.

Related: Cortana picks Seahawks

So, if you’re logging on to Marvel Comics fan site or signing up for a cupcake of the week email newsletter go ahead and use your favorite pet’s name but try to come up with something a bit more original for your banking or online bill paying accounts.

The report delves into a lot of heavy statistical math and isn’t really intended for casual reading but if you are fond of equations you can read the full report here.

Guy Wright

Guy Wright has been covering the technology space since the days when computers had cranks and networks were steam powered. He has been a writer and editor for more years then he cares to admit. He has lost count of the number of articles, blogs, reviews, rants and books that he has published over the years, but he hasn’t stopped learning and writing about new things.


Can the Cubs Win a Back to the Future DeLorean (and the Series)?

They haven't won in over a hundred years

Should the Last Starfighter Be Remade?

Fans would love to see this one again

Wanna Buy a Walking Dead City on Ebay?

Bidding starts at $680,000