Two University of North Carolina professors say popular websites like Google and Facebook must share password data from their users to eliminate password reuse.
Reusing passwords across multiple websites is now a common behavior for most people inundated with dozens of accounts to their favorite online properties. But the practice is fueling security breaches by giving hackers access to multiple accounts from a single set of credetials.
Two professors from the Computer Science department at the University of North Carolina believe they have a way to force users to use different passwords for each websites and keep everyone a little safer. In their study, How to End Password Reuse on the Web, professors Ke Coby Wang and Michael Reiter propose major websites coordinate with one another and "make it difficult for users to set similar passwords at these websites, in an effort to break the culture of password reuse on the web today."
Essentially, Wang and Reiter want website to share information on user passwords with one another.
SEE: Password Policy (Tech Pro Research)
"We believe it is now time to consider the possibility of imposing technical measures to prevent the use of similar passwords across websites," they wrote in the paper. "In this paper we have presented one possible method for doing so, by coordinating password selection across websites so that similar passwords cannot be used for the same account identifier...but with neither side disclosing to the other the password(s) it employs in the protocol."
The professors acknowledge the difficulty of a task this size, but said if the 20 biggest websites worked together, they could limit the scope of hacked accounts that are often tied between platforms like Facebook and Google. According to the report, the average internet user has about four to five accounts on the 20 largest websites on the internet.
"It is important to recognize that in order to break the culture of password reuse, we do not require universal adoption of the framework we propose here," they wrote in the report. "As such, if just these websites adopted our framework, it would force a large fraction of users to manage five or more dissimilar passwords, which is already at the limit of what users are capable of managing themselves."
In the paper, the professors wrote that with modest additional adoption--going to the top 50 most popular websites, for example--password reuse could be eliminated completely.
The professors are quick to point out the major security concerns inherent to their design, and take pains to address these issues through specific algorithms and safety measures. But the ramifications of continuing in the same types of password management is too costly to bear.
A Ponemon survey referenced in the study found that the fraud perpetrated using overtaken accounts "could incur average losses of up to $54 million per organization surveyed." Companies are forced to spend millions on a variety of security measures that often exacerbate the problem and expose users to more risk. Akamai reported in November 2017 that an astonishing 43% (3.6 out of 8.3 billion) of their login attempts involved credential abuse.
"Our goal in initiating this debate is to question the zeitgeist in the computer security community that password reuse cannot be addressed by technical means without imposing unduly on user security or privacy," they wrote.
The professors say they do not wish to make it impossible to reuse passwords but "about as difficult as not reusing them," which they believe will largely eliminate the practice. Despite the specificity of the plan, they understand how users will respond to something like this.
"We are under no illusions that our design, were it deployed, will be met with anything but contempt (at least temporarily) by the many users who currently reuse passwords at multiple websites," they wrote. But if their goals are achieved, they strongly believe password reuse will end, "since passwords are reused today almost entirely for convenience."
These security risks of password reuse have yet to stop most people from using the same password at many of the same websites, and recently a survey commissioned by password management website LastPass said more than 90% of those surveyed reported that they understood it was risky to use the same password for multiple accounts, yet 59% still almost always used the same password for different accounts.
Nearly 50% said there was no difference between the passwords they used for work accounts and those used for personal accounts, while only 55% of people said they would change their password if they knew they were hacked.
The big takeaways for tech leaders:
- Two professors believe they have a way to stop password reuse, which is giving hackers access to more and more information every day.
- Their plan involves 20-50 of the biggest websites on the internet coordinating and forcing users to create different passwords for all of their sites.
- Password managers: How and why to use them (TechRepublic)
- Password security: Tips for creating a better policy (ZDNet)
- Password managers: A cheat sheet for professionals (TechRepublic)
- Password manager maker Keeper hit by another security snafu (ZDNet)
- 10% of IT leaders log in with 'password' or 'qwerty,' putting their business at risk (TechRepublic)