Microsoft Research Study Suggests Reusing Passwords With Unimportant Accounts

Wondering how to solve that age-old problem -- coming up with a password that's easy to remember but hard for hackers to crack? It might be possible to achieve the best of both worlds, according to researchers at Microsoft Corp. (NASDAQ:MSFT) who suggest a new approach to managing password security -- using a shared password for trivial accounts and complex, individual passwords for more valuable ones.

The study, which will be presented at the Usenix Security Symposium in San Diego in August, analyzes the problem of growing user password libraries. Common security practice online often suggests that users create a unique and complex password for each of their accounts, but that tends to prove problematic for most people as the list of logins and passwords continue to grow.

Most users continue to choose weak passwords despite public awareness campaigns and government recommendations for stronger passwords, according to Dinei Florencio and Cormac Herley of Microsoft Research, who authored the study along with Paul C. van Oorschot of Carleton University, Ottawa, Canada.

“Clearly, users find managing a large password portfolio burdensome,” the Microsoft Research team writes. “Both password reuse, and choosing weak passwords, remain popular coping strategies.”

While some users have turned to using password managers such as LastPass and 1Password to organize their ever growing collection of logins, the never-ending task of creating and remembering complex passwords still proves to be futile as that library expands. Such tools also have the problem of compromising all user passwords if the master password is somehow obtained.

After examining multiple password models and performing mathematical calculations, the team at Microsoft came up with a simple password strategy that balances security with the people’s abilities to remember passwords.

To reduce the number of passwords a user needs to remember, the Microsoft Research team suggests grouping accounts into low-value accounts, such as forum logins, that share a common password. High-value group accounts, such as a banking or email login, could be grouped into smaller groups or use individualized passwords.

While the findings of the Microsoft Research study don’t advise reuse of extremely weak passwords such as “password” or “123456,” the team concludes that grouping accounts into categories balances security needs with the growing list of account credentials that users have to remember.