Sign In

Communications of the ACM

ACM TechNews

Stringent Password Policies Help Prevent Fraud, I­ Study Finds

View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
The same password should not be reused on multiple sites.

Researchers at Indiana University have found that requiring longer, more complex passwords makes it less likely a password will be reused on multiple websites, enhancing security.


Indiana University (IU) researchers have found that requiring longer and more complicated passwords results in a lower likelihood of password reuse on multiple websites.

The researchers analyzed password policies from 22 U.S. universities, and extracted sets of emails and passwords from two large datasets published online containing more than 1.3 billion email addresses and password combinations.

The team compared the passwords against each university's official password policy, and the results showed that stringent password rules significantly lower a university's risk of personal data breaches.

Specifically, passphrase requirements such as a 15-character minimum length deter 99.98% of users from reusing passwords or passphrases on other sites.

The team offered the following recommendations to safeguard passwords: increase the minimum length beyond eight characters; increase maximum password length; disallow the user's name or username inside passwords, and consider multi-factor authentication.

From IU Bloomington Newsroom
View Full Article


Abstracts Copyright © 2018 Information Inc., Bethesda, Maryland, USA


No entries found