Stringent password policies help prevent fraud, study finds

October 11, 2018

BLOOMINGTON, Ind. -- The all-too-common practice of using the same email address/password combination to log into multiple websites can be damaging, especially for employers with many users and valuable assets protected by passwords, like universities.

"If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see," said Indiana University's Dan Calarco, co-author on a new paper that examines the practice of password reuse.

But researchers at IU have discovered a simple way to foil criminals intent on breaking into university data.

"We found that requiring longer and more complicated passwords resulted in a lower likelihood of password reuse," the authors write in the paper, Factors Influencing Password Reuse: A Case Study . The authors are Jacob Abbott, an IU Bloomington Ph.D. student; Daniel Calarco, chief of staff for the IU Office of the Vice President for IT and CIO; and L. Jean Camp, a professor in the IU Bloomington School of Informatics, Computing and Engineering. The group presented their findings Sept. 21 at the TPRC46: Research Conference on Communications, Information and Internet Policy in Washington, D.C.

To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including their home institution, IU. Next, they extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to a university's domain, passwords were compiled and compared against a university's official password policy.

The findings were clear: Stringent password rules significantly lower a university's risk of personal data breaches.

"Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites," they write. "Other universities with fewer password requirements had reuse rates potentially as high as 40 percent." Their analysis found that IU performed the best of all 22 universities -- and had the most extensive requirements. The authors could not legally test whether credentials were actually valid; instead they examined whether passwords could potentially be valid given public password requirements such as password length, complexity and other requirements.

"IU has worked with security and usability faculty to design our password policies, with the result being policies that value people's time while mitigating risk," Camp said. "The length and complexity are balanced by the extended period before new passwords must be generated and the use of a longer authentication time window for applications. Indiana University's rollout of two-factor authentication is similarly a model."

The authors offer the following recommendations to safeguard passwords:

  1. Increase the minimum password length beyond 8 characters.
  2. Increase maximum password length.
  3. Disallow the user's name or username inside passwords.
  4. Contemplate multi-factor authentication.


Multi-factor authentication is becoming more common and usable. IU, for example, employs Two-Step Login. With the potential benefits of reducing the risk of password reuse, multi-factor authentication may be a viable alternative to changing the length and/or complexity of password policies.

"Our recommendations are not only applicable for universities, but also can be used by other organizations, services or applications," they write.
-end-


Indiana University

Related Risk Articles from Brightsurf:

Early life risk factors predict higher obesity and cardiometabolic risk
Early life risk factors in the first 1000 days cumulatively predict higher obesity and cardiometabolic risk in early adolescence, according to new research led by the Harvard Pilgrim Health Care Institute.

None of the most common blood pressure medications increased the risk of depression, some lowered the risk
Among the 41 most common blood pressure medications, none of them raised the risk of depression, according to an analysis from Denmark.

Lung-specific risk factors may increase hip fracture risk in individuals who smoke
Smoking has been linked to a higher risk of bone fractures.

Genetic risk scores may improve clinical identification of patients with heart attack risk
Researchers at Mass General and the Broad Institute have found that applying polygenic risk scores can identify patients at risk of a heart attack who may be missed in standard clinical evaluations.

New risk prediction model could identify those at higher risk of pancreatic cancer
A risk prediction model that combined genetic and clinical factors with circulating biomarkers identified people at significantly higher than normal risk of pancreatic cancer.

Risk of HIV-related heart disease risk varies by geography, income
People living with human immunodeficiency virus (HIV) infection are at higher risk of cardiovascular disease (CVD) compared to people without HIV.

Genetic study provides most comprehensive map of risk to date of breast cancer risk
A major international study of the genetics of breast cancer has identified more than 350 DNA 'errors' that increase an individual's risk of developing the disease.

New risk scores help physicians provide better care for high-risk pulmonary patients, study finds
Study of more than 17,000 patients finds new laboratory-based method of estimating outcomes for patients with a severe pulmonary disorder that has no cure can help physicians better provide proper care, referrals, and services for patients at the end of life.

Researchers develop model to predict suicide risk in at-risk young adults
New research from Pitt's School of Medicine shows that fluctuation and severity of depressive symptoms are much better at predicting risk of suicidal behavior in at-risk young adults.

High-risk sexually transmitted HPV virus associated with increased CVD risk
Infection with high-risk strains of the human papillomavirus (HPV), which have been linked to cancer, might increase the risk of heart and blood vessel or cardiovascular disease, especially among women with obesity or other cardiovascular risk factors.

Read More: Risk News and Risk Current Events
Brightsurf.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.