Longer minimum passwords are the most effective way to prevent password reuse and reduce potential exposure in a third-party data breach.
The all too common practice of using the same email address and password combination to log into multiple websites can be damaging, especially for employers with many users and valuable assets protected by passwords, like universities.
"If someone uses their university email address and passphrase to sign up for, say, LinkedIn, and LinkedIn is breached by cybercriminals, that would mean their university password is sitting on the web for everyone to see," said Indiana University's Dan Calarco, co-author on a new paper that examines the practice of password reuse.
But researchers have discovered a simple way to foil criminals intent on breaking into university data.
"We found that requiring longer and more complicated passwords resulted in a lower likelihood of password reuse," the authors write.
To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different US universities. Next, they extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to a university's domain, passwords were compiled and compared against a university's official password policy.
The findings were clear. Stringent password rules significantly lower a risk of personal data breaches.
"Our paper shows that passphrase requirements such as a 15 character minimum length deter the vast majority of users from reusing passwords on other sites," they write.
The authors offer the following recommendations to safeguard passwords:
Increase the minimum password length beyond 8 characters.
Increase the maximum password length.
Disallow the user's name or username inside passwords.
Contemplate multi-factor authentication.