Report: Weaker passwords fine in some cases

Optimal strategy requires re-use, researchers say

Have trouble creating passwords that are easy to remember? You’re not alone, and it may not be necessary to create those that are difficult.

A team of researchers has released a report that says math proves more memorable passwords are just fine for use on low-value data. 

“Clearly, users find managing a large portfolio burdensome,” states the report titled “Password Portfolios and the Finite-Effort User: Sustainably Managing Large Numbers of Accounts."

“Both password re-use, and choosing weak passwords, remain popular coping strategies.”

Many websites ask users to construct passwords with letters, numbers and special characters, and they must be changed occasionally. Memorizing multiple accounts and various passwords is like that of memorizing a shuffled deck of cards.

"The imposition of stringent password policies is better correlated with insulation from the consequences of poor usability than the need for greater security,” the report states.

The findings by Microsoft Research and Carlton University in Canada challenge the current conventional wisdom regarding password strategies. The report defines four categories: passwords for accounts deemed worthless, slightly important, quite secure and top security. Three categories were suggested: Password that are of no importance, are inconvenient if stolen or result in a major problem if abused.

In the report, researchers suggested:

— Users should create passwords based on unique attributes of each account;

— The optimal strategy involves selective re-use and weaker passwords;

— Users must not arbitrarily weaken and re-use passwords; and

— People should group accounts with high value and group those with low value, and consider their levels of ability to be compromised in those groupings.

The research shows mathematical support for foregoing a strict password policy for what a user may deem a low-value account. Stronger passwords are still encouraged for sites with more important data, such as a financial account.

Read the full report at research.microsoft.com.

Print this article Back to Top