Password Re-use Security: What the Studies Say

TL;DR

Yes, there are numerous studies showing password re-use significantly increases risk. Preventing it within a single system is effective, but requires careful implementation. This guide outlines how to do that, covering technical options and practical considerations.

Preventing Password Re-use: A Step-by-Step Guide

1. Understand the Risk

• Password re-use is a major cyber security vulnerability. If one service is compromised, all accounts using that password are at risk.
• Studies consistently show users reuse passwords across multiple sites and applications.
• Compromised credential lists (data breaches) are frequently used to attack other services.

Implement Password History

This is the most common and effective method within a single system.

• Configure your system to remember previous passwords, preventing immediate re-use.
• A typical history length is 12-24 passwords. More isn’t always better – it can frustrate legitimate users.
• Example (Linux PAM configuration – /etc/pam.d/common-password):

password sufficient pam_unix.so remember=12 obscure

This example remembers the last 12 passwords and obscures them in logs. Adjust ‘remember’ as needed.

Password Complexity Rules

While not directly preventing re-use, strong complexity rules make it harder to use the same password everywhere.

• Enforce minimum length (at least 12 characters is recommended).
• Require a mix of uppercase and lowercase letters, numbers, and symbols.
• Avoid dictionary words or easily guessable patterns.
• Example (pwquality.conf – Debian/Ubuntu):

minlen = 12

reject_dictionary = on

Password Blacklisting

Prevent known compromised passwords from being used.

• Integrate with a password blacklist database (e.g., Have I Been Pwned).
• This requires regular updates of the blacklist to remain effective.
• Some systems have built-in features for this; others require custom scripting or plugins.

User Education

Teach users about the dangers of password re-use.

• Explain why using unique passwords is important.
• Promote the use of password managers.
• Regular security awareness training can significantly reduce risk.

Monitor for Password Spraying Attacks

Password spraying attempts to use a few common passwords against many accounts.

• Implement account lockout policies after multiple failed login attempts.
• Log and alert on unusual login patterns.
• Review logs regularly for suspicious activity.

Consider Multi-Factor Authentication (MFA)

Adds an extra layer of security, mitigating the risk even if a password is compromised.

• Requires users to provide a second form of verification (e.g., code from an app, fingerprint scan).
• Significantly reduces the impact of password re-use attacks.

Further Research

Search for studies on ‘password re-use statistics’ and ‘credential stuffing attack prevention’. The National Institute of Standards and Technology (NIST) provides guidance on password management.