By Ioana Patringenaru
Newswise–Updating passwords for all users of a company or institution’s internal computer systems is stressful and disruptive to users and IT professionals. Many studies have looked at user struggles and password best practices.
However, very little research has been done to determine how a password update campaign can be conducted efficiently and with minimal IT costs. Until now.
A team of computer scientists at the University of California San Diego partnered with the campus’ Information Technology Services to analyze the messaging for a campuswide mandatory password change impacting almost 10,000 faculty and staff members. The team found that email notifications to update passwords potentially yielded diminishing returns after three messages. They also found that a prompt to update passwords while users were trying to log in was effective for those who had ignored email reminders. Researchers also found that users whose jobs didn’t require much computer use struggled the most with the update.
To the team’s knowledge, it’s the first time an empirical analysis of a mandatory password update has been conducted at this large scale and in the wild, rather than as part of a simulation or controlled experiment.
The research team hopes that lessons from their analysis will be helpful to IT professionals at other institutions and companies.
The team presented their work at ACSAC ’23: Annual Computer Security Applications Conference in December 2023.
During the campaign, almost 10,000 faculty and staff at UC San Diego received four emails at about a weekly interval prompting them to change their single sign-on password. Users who still hadn’t changed their password, after receiving four emails, got a prompt to log in.
The emails were effective, leading between 5 and 15% of users to update their passwords during each wave of emails. However, even after four such email prompts, a quarter of users had not completed the update procedure.
The finding contradicts a previous study that found 98% of participants changed their passwords after receiving multiple email messages. However, that study had a much smaller sample size.
Remarkably, 80% of the remaining users who hadn’t changed their passwords after the email campaign finally did so when prompted to log in.
“The active single sign-on prompting was a big winner across the board,” said Ariana Mirian, the paper’s first author, who earned her Ph.D. in the UC San Diego Department of Computer Science and Engineering. “You managed to get people who are stubborn–and maybe not paying attention–to take action, and that’s huge.”
Researchers also noted that despite concerns from the campus, the campaign did not generate a significant increase in tickets to the IT help desk. Ticket volume did increase three to four times, but tickets related to the password update only represented 8% of all requests.
Not surprisingly, users who struggled the most work in areas where they’re not required to log in to their computers regularly, such as maintenance, recreation, and dining services.
“Targeting such users earlier, or forgoing email reminders and using login intercepts from the start, or even using a different notification mechanism such as text messages, may be more effective,” the researchers write.
The research was funded by the National Science Foundation, the UC San Diego CSE postdoctoral fellows program, the Irwin Mark and Joel Klein Jacobs Chair in Information and Computer Science, and operational support from the UC San Diego Center for Networked Systems.