Researchers at Indiana University have confirmed that stringent password policies – aside from being really annoying – actually work. The research, led by Ph.D. student Jacob Abbott, IU CIO Daniel Calarco, and professor L. Jean Camp. They published their findings in a paper entitled “Factors Influencing Password Reuse: A Case Study.”
“Our paper shows that passphrase requirements such as a 15-character minimum length deter the vast majority of IU users (99.98 percent) from reusing passwords or passphrases on other sites,” said Abbott. “Other universities with fewer password requirements had reuse rates potentially as high as 40 percent.”
To investigate the impact of policy on password reuse, the study analyzed password policies from 22 different U.S. universities, including their home institution, IU. Next, they extracted sets of emails and passwords from two large data sets that were published online and contained over 1.3 billion email addresses and password combinations. Based on email addresses belonging to a university’s domain, passwords were compiled and compared against a university’s official password policy.
The findings were clear: Stringent password rules significantly lower a university’s risk of personal data breaches.
In short, requiring longer passwords and creating a truly stringent password policy reduced fraud and password reuse by almost 99%. Further, the researchers found that preventing users from adding their name or username inside passwords it’s also pretty helpful. Ultimately, having a stringent password policy is far better than have none at all. It’s a no-brainer but it could be an important data point for your next tech project.