Cyber Attack steals passwords
Password re-use should be employed by web users as part of an "optimal password portfolio strategy". Reuters

Online passwords for certain sites should be weak and re-used widely by web users, according to new research by Microsoft.

The research, undertaken by Dinei Florencio and Cormac Herley from Microsoft Research and Paul van Oorschot from Carleton University in Canada, finds that users should not prioritise security when choosing passwords for websites that do not hold sensitive information.

The Password Portfolios and the Finite-Effort User study goes against the long-held foundations established for password security: That users should choose strong passwords and never re-use them for different accounts.

"Our findings directly challenge accepted wisdom and conventional advice," the research paper states. "We find, for example, that a portfolio strategy ruling out weak passwords or password re-use is sub-optimal."

According to the researchers, using secure but difficult-to-remember passwords across all sites is not widely practised as it becomes increasingly burdensome the larger the password portfolio becomes.

Analysis of leaked password datasets, such as the 32 million plaintext passwords from Rockyou in 2009, revealed that most users fail to follow traditional advice.

It is claimed by internet security company Imperva that the RockYou hack revealed that the 5,000 most popular passwords were used by a share of 20% of the users.

'Human impossibility' of using strong passwords

The need for new usernames and passwords continues to grow as more companies and organisations transfer their services online. The study claims that people are having to resort to unorthodox measures in order to remember them.

"Despite violating long-standing password guidance, writing passwords down is, if properly done, increasingly accepted as a coping mechanism," the study states.

"Other strategies to cope with the human impossibility of using strong passwords everywhere without re-use include single sign-on, the use of email-based password reset mechanisms, and password managers."

A better solution, the findings suggest, is to divide online accounts into two groups. The first group would include high value accounts like banks and emails, while the second would be for low value accounts like chat forums.

It is suggested that only accounts in the first group should use strong passwords. Accounts in the second group should utilise simple and widely re-used passwords.

The study's conclusion, however, acknowledges: "We note that while password re-use must be part of an optimum portfolio strategy, it is no panacea."