Quantify Cyber Risk Now

header ads

Dummies Guide on Reusing the same Password: An Economics Perspective | Lucideus Research

Introduction:                                                                                                       (Difficulty: Easy)
In today’s world, internet usage is increasing exponentially across various regions and
for various purposes. From banking to ordering food, everything is done over the internet today.
People use different websites to order food, book movie/train/flight tickets, read news articles
and blogs. In order to do all this, websites that provide these services ask for user’s login
credentials i.e. email ID and password. Some websites such as those for social networking
require these credentials for protecting data of the user whereas others require them before
providing the user with their services, so they can collect user data and sell it.

The combination of username and password is widely used as a human authentication
mechanism on the internet. Despite their universal adoption and a long history, password
schemes exhibit a high number of security flaws which could jeopardise the confidentiality
and integrity of personal information. Since it is very difficult for users to remember a large
set of usernames and passwords, they tend to reuse the same passwords for different websites
so that they don’t have to remember so many of them.This habit of users generally leads to a
negative externality for websites that use these passwords for protection purposes, or websites
that invest in keeping passwords safe. This phenomenon has been described in the research
paper titled: “The Password Game: negative externalities from weak password practices”,
written by S ̈oren Preibusch and Joseph Bonneau. 

Different websites have different incentives for investing in password protection - a website
which deals with critical user data such as banking information or social networking websites
etc. have a huge incentive in keeping the data of their users protected as their business is
dependent upon this information. Not protecting it could lead to an adverse impact on their
business. On the other hand, there are websites that generally ask users to make their user
accounts just so they could have the user’s data which they might sell later. These organisations
 don’t have a high incentive in investing in password protection as they don’t have critical data
which they want to store. 

Generally, users have the tendency to use same email IDs and passwords at different places
as it is very difficult to remember different combinations of passwords and email IDs due to
small mental storage capacity. If a user uses an extremely strong password everywhere, then
it makes that password itself vulnerable. A website having less incentive in investing in
password protection could easily get hacked, and a list of combinations of passwords and
email IDs could be retrieved. If that list is used in websites that invest highly in protecting user
IDs and passwords, they could also get hacked easily due to reusability of passwords and user
ID’s everywhere, thus creating a negative externality for firms that invest in keeping the
passwords safe.

Due to such a negative externality, investing a huge amount in keeping the passwords
protected by different ways cannot completely keep those passwords safe. As investing more
in protecting passwords doesn’t protect them from negative externality created by other
websites, there aren’t enough incentives for other websites to invest more in this which then
leads to further underinvestment.

As we can see, it can be dangerous to use the same password everywhere. It could lead to
the leakage of sensitive data. Hence, it is advised that at least the passwords used for websites
containing sensitive data should be different from passwords used for other websites where
one registers to get certain information. Doing this may significantly reduce the risk of a user’s
sensitive information getting leaked. A certain mechanism can be thought of by the government
to correct this negative externality. All organisations should use ‘Two-step authentication’ such
as OTPs as an alternative, in order to avoid or at least minimize the effect of this negative
externality and assure confidentiality of user’s data.

1. BugMeNot, Feb 2010.
2. Facebook Connect. 2010. http://www.facebook.com/advertising/?connect.
3. Windows Live Solution Center: Creating a strong password for your e-mail account.
4. Yahoo! Password Help.
5. Joseph Bonneau and S ̈oren Preibusch. The password thicket: technical and market
failures in human authentication on the web. In The Ninth Workshop on the Economics of Information , Security (WEIS 2010), 2010.
6. Bundesamt f ̈ur Sicherheit in der Informationstechnik (BSI) (Federal Office for In-
formation Security).IT-Grundschutz Catalogues. 2005.
7. William E. Burr, Donna F. Dodson, and W. Timothy Polk. Electronic Authentication Guideline.
NIST Special Publication 800-63, April 2006.
8. Chaos Computer Club (CCC). Datenbrief.
http://www.ccc.de/datenbrief, January 2010.
9.  The Password Game: negative externalities from weak password practices S ̈oren
Preibusch and Joseph Bonneau
10. Ashlee Vance. If Your Password Is 123456, Just Make It HackMe. The New York Times,
January 2010

Post a comment