Computer scientists from the University of California San Diego conducted a comprehensive study on running an efficient password update campaign with minimal IT costs. This research was in collaboration with the campus’ Information Technology Services and involved analyzing the messaging for a campus-wide mandatory password change that affected almost 10,000 faculty and staff members.
The study revealed several key findings:
- Email notifications for password updates showed diminishing returns after three messages.
- A login prompt for users who ignored email reminders proved to be very effective in compelling users to update their passwords.
- Users with jobs requiring less frequent computer use faced the most challenges with the password update process.
- Despite initial concerns, the campaign did not significantly increase IT help desk ticket volumes, with tickets related to the password update constituting only a small fraction of all requests.
This research is significant as it represents one of the first empirical analyses of a mandatory password update conducted on such a large scale outside of controlled experiments or simulations. The insights gained could be invaluable for IT professionals looking to conduct similar campaigns at other institutions or companies with minimal disruption and cost.
The team’s findings were presented at the Annual Computer Security Applications Conference (ACSAC) in December 2023, aiming to share their lessons learned with a broader audience in the IT and cybersecurity fields. The research was supported by the National Science Foundation and other contributors, underscoring the importance of cybersecurity in today’s digital landscape.
For more detailed information, you can refer to the articles on TechXplore and Mirage News, or the original presentation at the Center for Networked Systems at UC San Diego.