Many of us are well aware of ongoing problem of password reuse between online services. Billions of account records, including clear text and poorly hashed passwords, are publicly accessible to use in attacks on other services. Verizon’s 2017 DBIR noted that operators of websites that use standard email address and password authentication need to be wary of the impact of other sites being breached on their own site due to the extensive problem of password reuse. The authors of the DBIR, and indeed many in the security industry including me, recommend combating the problem with two factor authentication. That is certainly good advice, but it’s not practical for every site and every type of visitor. As an alternative, I propose that websites begin offering randomized password to those creating accounts. The site can offer the visitor an opportunity to easily change that password to something of his or her choosing. Clearly this won’t end password reuse outright, but it will likely make a substantial dent in it without much, if any, additional cost or complexity associated with two factor authentication. An advantage of this approach is that it allows “responsible” sites to minimize the likelihood of accounts on their own site being breached by attackers using credentials harvested from other sites.
What are your thoughts?