Study finds high rate of password reuse among users

Comparing stolen login credentials for two different sites, researcher discovers password reuse rate as high as 50 percent

You may have a remarkably strict password policy in place at your organization, requiring a long string of letters, numbers, and special characters. Unfortunately, those policies become far less effective if you use a similar or identical password for logging in to Facebook,, or any other website. If a malicious hacker is able to get his or her hands on a user's password credentials for one domain, said hacker has a good starting point for figuring out the user's password for other sites.

Joseph Bonneau, a researcher from the University of Cambridge, studied just how rampant the problem of password reuse might be, and his conclusion is that it might be far worse than previous studies have indicated.

Bonneau compared recently stolen login information for two different website, and Between the two sets of data, he found an intersection of 456 legitimate email addresses, and the password reuse rate among those address was at least 31 percent. The figure could be as high as 43 percent -- or 49 percent if you count the use of similar passwords, such as instances where the different characters are capitalized (Hello vs. hEllO) or a number appended to the password (Hello vs. Hello1).

To put that in perspective (and taking into account that there is a margin of error of plus or minus 5 percent), it means that if a hacker manages to steal a user's login info and password, there's as much as a one-in-two chance that said hacker will have the key (or a close fit) to the user's other secured accounts. Previous studies, according to Bonneau, have put the password reuse rate at 20 percent or less.

Importantly, though, Bonneau's study is a snapshot comparing password reuse among relatively low-security, low-value accounts; these aren't financial or personal email websites, for example. Maybe users are more cautious when their credit standing or private communications are at stake. More study is needed, Bonneau notes.

Still, this might be a good wake-up call for organizations that currently have relatively lax password policies or where users access different domains for work purposes. IT departments might at least consider warning users to never reuse their work-related passwords for any of their personal accounts.

This story, "Study finds high rate of password reuse among users," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest business technology news, follow on Twitter.

Copyright © 2011 IDG Communications, Inc.