Each Internet user has, on average, 25 password-protected accounts, but only 6.5 distinct passwords[webhabits]. Despite the advice of security experts, users are obviously re-using passwords across multiple sites. So this paper asks the question: given that users are going to re-use passwords across multiple sites, how should they best allocate those passwords to sites so as to minimize their losses from accidental password disclosures? We provide both theoretical and practical results. First, we provide a mathematical formulation of the Password Allocation (PA) problem and show that it is NP-complete with a reduction via the 3-Partition problem. We then study several special cases and show that the optimal solution is often a contiguous allocation -- i.e., similar accounts share passwords. Next, we evaluate several human- and machine-computable heuristics that have very good performance and produce solutions that are reasonably close to optimal. We find that the human-computable heuristics do not perform nearly as well as the machine-computable heuristics, however, they provide a useful and easy to follow set of guidelines for re-using passwords.
[1]
Claude Castelluccia,et al.
How Unique and Traceable Are Usernames?
,
2011,
PETS.
[2]
Cormac Herley,et al.
A large-scale study of web password habits
,
2007,
WWW '07.
[3]
David S. Johnson,et al.
Computers and Intractability: A Guide to the Theory of NP-Completeness
,
1978
.
[4]
Helmut Schneider,et al.
The domino effect of password reuse
,
2004,
CACM.
[5]
Gerhard J. Woeginger,et al.
When does a dynamic programming formulation guarantee the existence of an FPTAS?
,
1999,
SODA '99.
[6]
Edward W. Felten,et al.
Password management strategies for online accounts
,
2006,
SOUPS '06.