Struggling with mandatory password change policies? Here's the most effective way to get stubborn employees to comply

A team of university computer scientists has analyzed the messaging for a campus-wide mandatory password change in what is considered the first study of its kind to look at effective communications around password policies.

Researchers at the University of California San Diego teamed up with the campus’ Information Technology Services team to analyze the messaging for a campus-wide mandatory password change affecting almost 10,000 faculty and staff members.

They believe this is the first time that an empirical analysis of a mandatory password update has been conducted on this large a scale and in the wild, rather than as part of a simulation or controlled experiment.

Over the first four weeks of the campaign, faculty and staff at UC San Diego received four emails at roughly weekly intervals prompting them to change their single sign-on password. Those who still failed to act then got a prompt to do so as they logged in.

The emails were considered to be generally effective, with between 5% and 15% of users updating their passwords during each wave of emails. However, there were diminishing returns: even after four email prompts, a quarter of users still hadn't completed the update procedure.

Eight out of ten of these reluctant users, though, finally changed their passwords when they were prompted to do so at log-in.

"The active single sign on prompting was a big winner across the board," says the paper’s first author, Ariana Mirian. "You managed to get people who are stubborn – and maybe not paying attention – to take action, and that’s huge."

In what must have come as a relief – and despite concerns from the campus – the campaign did not generate a significant increase in tickets to the IT help desk. While ticket volume did increase by three to four times, tickets related to the password update only represented 8% of all requests.

The users who were slowest to carry out the update were those working in areas where they weren't required to log in to their computers regularly, such as maintenance, recreation, and dining services.

"Targeting such users earlier, or forgoing email reminders and using login intercepts from the start, or even using a different notification mechanism such as text messages, may be more effective," the researchers write.

Mandatory password change programs aren't always a good idea, with the UK's National Cyber Security Centre (NCSC) warning that it can be counterproductive. When users are forced to change their password, it says, the chances are that they'll pick something similar to the password they used before.

"The new password may have been used elsewhere, and attackers can exploit this too. The new password is also more likely to be written down, which represents another vulnerability," it says. 

"New passwords are also more likely to be forgotten, and this carries the productivity costs of users being locked out of their accounts, and service desks having to reset passwords."

Instead, the NCSC recommends using system monitoring tools that present users with information about the last login attempt, so they can see if they’re responsible for failed login attempts and report any issues for investigation.

"Initiatives such as this are far more likely to help keep systems safe, and much more manageable for the user," says the NCSC.