Do Differences in Password Policies Prevent Password Reuse?

Password policies were originally designed to make users pick stronger passwords. However, research has shown that they often fail to achieve this goal. In a systematic audit of the top 100 web sites in Germany, we explore if diversity in current real-world password policies prevents password reuse. We found that this is not the case: we are the first to show that a single password could hypothetically fulfill 99% of the policies under consideration. This is especially problematic because password reuse exposes users to similar risks as weak passwords. We thus propose a new approach for policies that focuses on password reuse and respects other websites to determine if a password should be accepted. This re-design takes current user behavior into account and potentially boosts the usability and security of password-based authentication.