Annual Computer Security Applications Conference (ACSAC) 2023

An Empirical Analysis of Enterprise-Wide Mandatory Password Updates

Enterprise-scale mandatory password changes are disruptive, complex endeavors that require the entire workforce to prioritize a goal that is often secondary to most users. While ample literature exists around user perceptions and struggles, there are few ``best practices'' from the perspective of the enterprise---either to achieve the end goal or to minimize IT costs. In this paper, we provide an empirical analysis of an enterprise-scale mandatory password change, covering almost 10,000 faculty and staff at an academic institution. Using a combination of user notifications logs, password update records, and help desk ticket information, we construct an empirical model of user response over time. In particular, we characterize the elements of the campaign that relate to ideal and non-ideal outcomes, including unnecessary user actions and IT help desk overhead. We aim to provide insight into successes and challenges that can generalize to other organizations implementing similar initiatives.

Ariana Mirian
University of California, San Diego

Grant Ho
University of California, San Diego

Stefan Savage
University of California, San Diego

Geoffrey M. Voelker
University of California, San Diego

Paper (ACM DL)

Slides