A team of university computer scientists has analyzed the messaging for a campus-wide mandatory password change in what is considered the first study of its kind to look at effective communications around password policies.
Researchers at the University of California San Diego teamed up with the campus’ Information Technology Services team to analyze the messaging for a campus-wide mandatory password change affecting almost 10,000 faculty and staff members.
They believe this is the first time that an empirical analysis of a mandatory password update has been conducted on this large a scale and in the wild, rather than as part of a simulation or controlled experiment.
Over the first four weeks of the campaign, faculty and staff at UC San Diego received four emails at roughly weekly intervals prompting them to change their single sign-on password. Those who still failed to act then got a prompt to do so as they logged in.
The emails were considered to be generally effective, with between 5% and 15% of users updating their passwords during each wave of emails. However, there were diminishing returns: even after four email prompts, a quarter of users still hadn't completed the update procedure.
Eight out of ten of these reluctant users, though, finally changed their passwords when they were prompted to do so at log-in.
"The active single sign on prompting was a big winner across the board," says the paper’s first author, Ariana Mirian. "You managed to get people who are stubborn – and maybe not paying attention – to take action, and that’s huge."
In what must have come as a relief – and despite concerns from the campus – the campaign did not generate a significant increase in tickets to the IT help desk. While ticket volume did increase by three to four times, tickets related to the password update only represented 8% of all requests.
More on password use
The users who were slowest to carry out the update were those working in areas where they weren't required to log in to their computers regularly, such as maintenance, recreation, and dining services.
"Targeting such users earlier, or forgoing email reminders and using login intercepts from the start, or even using a different notification mechanism such as text messages, may be more effective," the researchers write.
Mandatory password change programs aren't always a good idea, with the UK's National Cyber Security Centre (NCSC) warning that it can be counterproductive. When users are forced to change their password, it says, the chances are that they'll pick something similar to the password they used before.
RELATED RESOURCE
Become more knowledgeable when talking to colleagues about AI
DOWNLOAD NOW
"The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability," it says.
"New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords."
Instead, the NCSC recommends using system monitoring tools that present users with information about the last login attempt, so they can see if they’re responsible for failed login attempts and report any issues for investigation.
"Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user," says the NCSC.
-
AI layoffs could spark a new wave of offshoringNews Analysts expect a wave of rehiring next year in the wake of AI layoffs. That may sound like good news for workers, but it'll probably involve offshoring or outsourcing.
-
Hackers are using these malicious npm packages to target developers Windows, macOS, and Linux systemsNews Security experts have issued a warning to developers after ten malicious npm packages were found to deliver infostealer malware across Windows, Linux, and macOS systems.
-
Government urges large enterprises to shore up defenses as NCSC warns UK faces four 'nationally significant' cyber attacks every weekNews UK enterprises of all sizes face escalating cybersecurity threats, ministers have warned
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
‘States don’t do hacking for fun’: NCSC expert urges businesses to follow geopolitics as defensive strategyNews Paul Chichester, director of operations at the UK’s National Cyber Security Centre, urged businesses to keep closer tabs on geopolitical events to gauge potential cyber threats.
-
Cyber attacks have rocked UK retailers – here's how you can stay safeNews Following recent attacks on retailers, the NCSC urges other firms to make sure they don't fall victim too
-
Five Eyes cyber agencies issue guidance on edge device vulnerabilitiesNews Cybersecurity agencies including the NCSC and CISA have issued fresh guidance on edge device security.
-
"Thinly spread": Questions raised over UK government’s latest cyber funding schemeThe funding will go towards bolstering cyber skills, though some industry experts have questioned the size of the price tag
-
State-sponsored cyber crime is officially out of controlNews North Korea is the most prolific attacker, but Russia and China account for the most disruptive and tightly-targeted campaigns
-
Modern enterprise cybersecuritywhitepaper Cultivating resilience with reduced detection and response times
