It’s password security’s Achilles heel: too many people make life easy for cybercriminals by re-using the same ones over and over.
The traditional solution is to implore users to set unique ones, preferably using a password manager. However, only a small minority pay any attention.
But what if there were a way for websites to compare notes on whether a password (or similar password) has been set by a user elsewhere?
According to two University of North Carolina researchers it could be possible using a framework specially designed for websites to check password similarity without ruining privacy, security, and performance.
Their suggestion is the ‘private set-membership-test’ protocol, based on the seeming magic of homomorphic encryption invented by IBM a decade ago to process encrypted cloud data without needing to decrypt it first.
It sounds simple enough: the user would select a password at a site (the requester), which would be checked against the passwords selected by the same user at other sites (the responders).
If the password was the same as, or similar to, the one being entered, the user would be asked to make a different choice.
Of course, to be useful it would need to be used by lots of sites, the very thing that might reduce performance. There would also need to be a reliable way of identifying users across numerous websites.
Cleverly, the researchers bypass the performance issue by pointing out that the protocol would only need to be used by a core of up to 20 big providers (Google, Facebook, Yahoo, et al) to eliminate most of the password reuse problem.
For identification, they reckon (probably correctly) that the vast majority of users rely on email addresses tied to a single domain from within this select group.
As for security and privacy (the problem of querying sites without creating the potential for leakage), the principles of homomorphic encryption would take care of this, they say.
If that sounds like a bit of an assumption, the research description goes into plenty of depth about the immense challenges of preserving security and why this kind of encryption is up to the job.
The authors are at least realistic about how users might react:
We are under no illusions that our design, were it deployed, will be met with anything but contempt (at least temporarily) by the many users who currently reuse passwords at multiple websites.
As solutions go, this one seems like it might be a bit tricky to implement – getting together a core of big providers to implement a homomorphic encryption protocol might take years.
Would the problem be better addressed either by better integrating password managers or simply abandoning the password as a primary means of authentication?
If the password reuse problem is really about large numbers of users deploying the same password across a small number of core sites, then the sooner they change that architecture the better.
But perhaps what the researchers have come up with is really a brilliant way to check not re-used passwords but the credential stuffing attacks themselves.
Various schemes have been suggested for doing this, but none has yet made it past the research stage. The application may be different but the problem of detecting the similarity of entered data in different places is fundamentally the same thing in another guise.