A study of user password strategy for multiple accounts

Despite advances in biometrics and other technologies, passwords remain the most commonly used means of authentication in computer systems. Users maintain different security levels for different passwords. In this study, we examine the degree of similarity among passwords of different security levels of a user. We conducted a laboratory experiment with 80 students from the University of Texas at Arlington (UTA). We asked the subjects to construct new passwords for websites of different security levels. We collected the lower-level passwords (e.g., passwords for online news sites) constructed by the subjects, combined them with a comprehensive wordlist, and performed dictionary attacks on their constructed passwords from the higher-level sites (e.g., banking websites). We could successfully crack almost one-third of their constructed passwords from the higher-level sites with this method. This suggests that, if a user’s lower-level password is leaked, it can be used effectively by an attacker to crack some of the user’s higher-level passwords.