Abstract or Summary:
Every day, attackers exploit password reuse to breach accounts, costing users and service providers dearly. Conventional wisdom blames users for choosing and reusing easily cracked passwords. However, a complete analysis of the password reuse ecosystem reveals a convoluted situation. While it's true that users poorly understand the risks of reusing passwords, nonsensical password composition policies and confusing notifications further sustain the problem.

This talk argues that reducing password reuse requires solutions going far beyond telling users to not reuse passwords. Reflecting on insights from user studies and qualitative research, I present best practices for designing password-reuse notifications and pose criteria for any potential solutions hoping to ameliorate password reuse.

PasswordResearch.com Note: Video of presentation: https://www.youtube.com/watch?v=9X0Ev2RJeTM