Skip to content
Naked Security Naked Security

Could this be the end of password re-use?

It’s password security’s Achilles heel: too many people make life easy for cybercriminals by re-using the same ones over and over. But what if there were a way for websites to compare notes on whether a password (or similar password) has been set by a user elsewhere?

It’s password security’s Achilles heel: too many people make life easy for cybercriminals by re-using the same ones over and over.
The traditional solution is to implore users to set unique ones, preferably using a password manager. However, only a small minority pay any attention.
But what if there were a way for websites to compare notes on whether a password (or similar password) has been set by a user elsewhere?
According to two University of North Carolina researchers it could be possible using a framework specially designed for websites to check password similarity without ruining privacy, security, and performance.
Their suggestion is the ‘private set-membership-test’ protocol, based on the seeming magic of homomorphic encryption invented by IBM a decade ago to process encrypted cloud data without needing to decrypt it first.
It sounds simple enough: the user would select a password at a site (the requester), which would be checked against the passwords selected by the same user at other sites (the responders).
If the password was the same as, or similar to, the one being entered, the user would be asked to make a different choice.
Of course, to be useful it would need to be used by lots of sites, the very thing that might reduce performance. There would also need to be a reliable way of identifying users across numerous websites.


Cleverly, the researchers bypass the performance issue by pointing out that the protocol would only need to be used by a core of up to 20 big providers (Google, Facebook, Yahoo, et al) to eliminate most of the password reuse problem.
For identification, they reckon (probably correctly) that the vast majority of users rely on email addresses tied to a single domain from within this select group.
As for security and privacy (the problem of querying sites without creating the potential for leakage), the principles of homomorphic encryption would take care of this, they say.
If that sounds like a bit of an assumption, the research description goes into plenty of depth about the immense challenges of preserving security and why this kind of encryption is up to the job.
The authors are at least realistic about how users might react:

We are under no illusions that our design, were it deployed, will be met with anything but contempt (at least temporarily) by the many users who currently reuse passwords at multiple websites.

As solutions go, this one seems like it might be a bit tricky to implement – getting together a core of big providers to implement a homomorphic encryption protocol might take years.
Would the problem be better addressed either by better integrating password managers or simply abandoning the password as a primary means of authentication?
If the password reuse problem is really about large numbers of users deploying the same password across a small number of core sites, then the sooner they change that architecture the better.
But perhaps what the researchers have come up with is really a brilliant way to check not re-used passwords but the credential stuffing attacks themselves.
Various schemes have been suggested for doing this, but none has yet made it past the research stage. The application may be different but the problem of detecting the similarity of entered data in different places is fundamentally the same thing in another guise.

15 Comments

Two points for those of us who use password managers:
1) Detecting re-used passwords would be a neat, easy-to-implement function for the password manager (or an app with access to the password manager’s database);
2) There are many situations in which you cannot use the password manager’s automated insertion, leading us (me, at least) to use simple, easily-remembered passwords in those situations, rather than our (mine, at least) very long and complex (managed) passwords.

Agreed. I especially concur with the second point. I use lastpass on my phone as well. It asks me to log in every time I want to autofill my credentials. I’d rather have a fingerprint sensor that expedites this than to log-in with my 20 odd character password every single time.

Just how bad of an idea is this – shifting password responsibility from the end user to the site? If the health care system did the same thing: when you go out to eat, the restaurant will check with the other places you eat to see if you already ate. If you did they won’t serve you.. not a good idea, nope not at all. Some times I eat at one place, and get dessert at another..

It would help if websites stopped requiring you to register before being able to make a one-off purchase

+1 (especially if they are government or public utility websites such as railway operators, electricity suppliers and so on). The “convenience” behind making me sign up for an account is all yours. Maybe GDPR will help to stamp this practice out as needless data collection?

Let me see, what could possibly go wrong with a start-up holdinga repository of my passwords and a handy link to where I used them?

While password re-use is a problem, I think this plan is targeting the wrong sites to try to tackle it. The reason that re-use is a bad thing is because of the risk that easily reversed password hashes, or even cleartext passwords will get leaked from a poorly secured site in the long tail of internet sites.
The idea of this framework is that a core of the most highly used, and well managed sites on the internet would share password hashes with each other to prevent re-use. The thing is that password leaks from those sites is very unlikely because they employ professional security engineers who know what they are talking about. I very much doubt that anyone will get hold of my google password by hacking google, or brute forcing a password hash without anyone noticing.
On the other hand, I have loads of accounts on random web store fronts, old chat forums and the like. Some of those will not be professionally managed, some might even be storing passwords in the clear. These are the sites where password re-use could cause major hurt, but they won’t be taking part in this framework, in part because they are not invited, but also because their part time admins won’t have heard of it anyway.

> “I very much doubt that anyone will get hold of my google password by hacking google, or brute forcing a password hash without anyone noticing.”
I suppose I could substitute Yahoo! for Google in the above statement, right? Oops, no, I guess not. They lost hundreds of millions of passwords and people did notice–two years later.
I’m a careful user with unique passwords for any site that holds my credentials (I always check “Don’t save my credit card.”) but I still have eleven entries in haveibeenpwned.com, and I bet you do too.

But this would just force more and more passwords onto the user. One of the main reasons that user resuse passwords is that they cannot remember many individual passwords.
Yes, using a password manager would solve this but it puts all the eggs in one basket and assumes that the non-technical users will know to set a good strong password on the manager and back it up appropriately.
Lets be honest, if users don’t back up their most precious photographs and documents, they’re not going to do it with passwords.
We also have the issue pointed out by several posters above that many sites do not permit cut and paste from managers into their password fields.
Basically The Password is a busted flush, it’s time has past, we need to move on now. Biometrics or 2FA in support of weak passwords will be the way forward

It seems like they did plenty job on designing and evaluating their proposed solution. I respect that. And I admit this might be the only way to eliminate password reuse before passwords become history, regardless of how many users would possibly like it (I guess very few). But apparently a trade-off between usability and security is very important here. It’d be extremely annoying if all of my accounts forced me to remember so many different passwords (I simply don’t trust password managers). But I would possibly accept it if PayPal, banking sites, Dropbox, etc., asked me to do so since I only care about my accounts’ security on these sites.

I usually just let chrome make a password for me. Syncs with chrome for android so it very convenient.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?