Passwords are something we all have to deal with on a daily basis, and the advice has long been to use complex passphrases, to use unique passwords for each site and service, and to change them on a regular basis. But Microsoft Research has different ideas. A paper published by researchers Dinei Florencio and Cormac Herley and Paul C. van Oorschot from Carleton University, Ottawa, Canada suggests taking a rather different approach.
The paper recognizes that users now have a large portfolio of passwords to remember, and goes on to say that "mandating exclusively strong passwords with no re-use gives users an impossible task". What does this mean? Essentially, the researchers are saying that by encouraging, or even forcing, users to select complex, lengthy, unique passwords, the likelihood of forgetting them is greatly increased.
The researchers admit that their findings "directly challenge accepted wisdom and conventional advice", but continues to say that "portfolio strategy ruling out weak passwords or password re-use is sub-optimal". The use and re-use of simple passwords for low-risk websites is not only not discouraged by the paper, but actively encouraged. Strong, difficult-to-remember password should be reserved for sites and services that pose a high risk.
The aim is to overcome the problem of poor memory. If you have super-strong, unique passwords for every site and services, sure you'll probably keep out the bad guys, but there's a high chance that you'll also lock yourself out when you ultimately forget them. You could write them down, but this defeats the purpose of a password. Password managers are another solution, but they are not perfect and can be vulnerable to attack. There is also the problem of the "finite-effort user" to take into account -- users can only be expected to be willing to do so much in the name of secure access.
While the advice of the paper comes across as slightly counter intuitive to start with, with a little consideration it is easy to understand the thinking behind the advice -- which boils down to the question "why make life any harder than it needs to be?" It's a trade-off between the level of security you want, and the amount of effort you want to put in.