Empirical Analysis of Password Reuse and Modification across Online Service
This addresses security risks for users of online services by providing large-scale empirical evidence, though it is incremental in quantifying known issues.
The paper tackles the problem of password reuse and modification across online services by analyzing 28.8 million users and 61.5 million passwords, finding that 38% of users reuse passwords exactly and 20% modify them, with a new algorithm showing that over 16 million password pairs can be cracked within 10 attempts.
Leaked passwords from data breaches can pose a serious threat to users if the password is reused elsewhere. With more online services getting breached today, there is still a lack of large-scale quantitative understanding of the risks of password reuse across services. In this paper, we analyze a large collection of 28.8 million users and their 61.5 million passwords across 107 services. We find that 38% of the users have reused exactly the same password across different sites, while 20% have modified an existing password to create new ones. In addition, we find that the password modification patterns are highly consistent across different user demographics, indicating a high predictability. To quantify the risk, we build a new training-based guessing algorithm, and show that more than 16 million password pairs can be cracked within just 10 attempts (30% of the modified passwords and all the reused passwords).