Maximizing the Effectiveness of Mandatory Password Update Campaigns: Lessons from a Large-Scale Empirical Analysis

Wednesday - February 7 2024, 03:38 UTC - 9 months ago

A team of computer scientists at UC San Diego conducted a large-scale empirical analysis of a mandatory password update campaign and found that active prompts, such as during login, were highly effective. Users whose jobs didn't require much computer use struggled the most, but alternative means of authentication may increase participation. Despite concerns, the campaign did not generate a significant increase in IT help desk tickets.

Updating passwords for all users of a company or institution's internal computer systems is a necessary but often dreaded task. It disrupts daily workflow for both users and IT professionals, and studies have shown that users struggle with password changes and password best practices. However, little research has been done on how to conduct a password update campaign efficiently and with minimal IT costs.

That's where the team of computer scientists at the University of California San Diego comes in. In partnership with the campus' Information Technology Services, they conducted an empirical analysis of a campus-wide mandatory password change impacting almost 10,000 faculty and staff members. Their findings, published at the Annual Computer Security Applications Conference in December 2023, offer valuable insights for IT professionals at other institutions and companies.

The study found that email notifications to update passwords yielded diminishing returns after three messages. This means that while initial email prompts were effective, subsequent emails had less impact. The team also discovered that a prompt to update passwords while users were trying to log in was highly effective for those who had ignored email reminders. This indicates that passive reminders may not be as effective as active prompts.

Interestingly, the study also found that users whose jobs didn't require much computer use struggled the most with the mandatory update. This is likely due to lack of familiarity with the password change process and not logging into their computers regularly. The researchers suggest that targeting this user population with alternative means of authentication may increase participation and adoption.

The team's analysis also revealed that after four email prompts, a quarter of users had not completed the password update procedure. This contradicts a smaller study which found that 98% of participants changed their passwords after receiving multiple email messages. This difference may be attributed to the larger sample size in the UC San Diego study. However, the research team discovered that prompting users to update their passwords during login was highly effective, with 80% of remaining users finally completing the update.

Despite concerns from the campus, the mandatory password update campaign did not generate a significant increase in IT help desk tickets. While ticket volume did increase three to four times, requests related to the password update only represented 8% of all tickets. This indicates that the campaign was successful in minimizing disruption to IT professionals' workload.

Overall, the team's innovative research offers valuable insights for conducting efficient and cost-effective mandatory password update campaigns. By understanding user behavior and targeting specific populations, IT professionals can increase participation and adoption while minimizing disruption to daily workflow.