Skip to main content
SpringerLink
Log in
Book cover

International Conference on Passwords

PASSWORDS 2015: Technology and Practice of Passwords pp 21–38Cite as

Assessing the User Experience of Password Reset Policies in a University

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9551))

Abstract

Organisations often provide helpdesk services to users, to resolve any problems that they may have in managing passwords for their provisioned accounts. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the user’s personal costs. Here we describe exploratory analysis of a university’s helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. The scale of end-user costs was identified in log data, where follow-on exploratory interviews and NASA-RTLX assessments with 20 students exposed issues which log data did not adequately represent. The majority of users reset passwords before expiration. Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not capture the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies, for example deliberately waiting to reset a password after reaching the post-expiry grace period. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   34.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   44.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Florêncio, D., Herley, C.: Where do security policies come from?. In: Symposium on Usable Privacy and Security, p. 10. ACM (2010)

    Google Scholar 

  2. Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In: NDSS Workshop on Usable Security (USEC) (2014)

    Google Scholar 

  3. Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2010)

    Google Scholar 

  4. Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)

    Article  Google Scholar 

  5. Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Thimbleby, H., O’Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)

    Google Scholar 

  6. Albers, M., Patton, J.T.: Measuring cognitive load to test the usability of web sites. In: Annual Conference-Society for Technical Communication, vol. 53 (2006)

    Google Scholar 

  7. Anderson, J.: Why we need a new definition of information security. Comput. Secur. 22(4), 308–313 (2003)

    Article  Google Scholar 

  8. Arnell, S., Beautement, A., Inglesant, P., Monahan, B., Pym, D., Sasse, M.A.: Systematic decision making in security management modelling password usage and support. In: International Workshop on Quantitative Aspects in Security Assurance, Pisa, Italy (2012)

    Google Scholar 

  9. Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms. ACM (2009)

    Google Scholar 

  10. Besnard, D., Arief, B.: Computer security impaired by legitimate users. Comput. Secur. 23(3), 253–264 (2004)

    Article  Google Scholar 

  11. Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3, 77–101 (2006)

    Article  Google Scholar 

  12. Brostoff, S., Sasse, M.A.: Ten strikes and you’re out: Increasing the number of login attempts can improve password usability. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems (2003)

    Google Scholar 

  13. Broome, C., Streitwieser, J.: What is E-support. Service and Support Handbook. Help Desk Institute, pp. 31–40 (2002)

    Google Scholar 

  14. Byers, J.C., Bittner, A.C., Hill, S.G.: Traditional and raw task load index (TLX) correlations: are paired comparisons necessary. Adv. Ind. Ergon. Saf. I, 481–485 (1989)

    Google Scholar 

  15. Coles, R.: Keynote address. In: Eighth Workshop on the Economics of Information Security (WEIS 2009), pp. 24–25. University College London, England (2009)

    Google Scholar 

  16. Charoen, D., Raman, M., Olfman, L.: Improving end user behaviour in password utilization: An action research initiative. Syst. Pract. Action Res. 21(1), 55–72 (2008)

    Article  Google Scholar 

  17. Hart, S., Staveland, L.: Development of NASA-TLX (Task Load Index): results of empirical and theoretical research. Adv. Psychol. 52, 139–183 (1988)

    Article  Google Scholar 

  18. Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. ACM (2009)

    Google Scholar 

  19. Inglesant, P., Sasse, M.A.: The true cost of unusable password policies: Password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM (2010)

    Google Scholar 

  20. Jakobsson, M., Myers, S. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley, New Jersey (2006)

    Google Scholar 

  21. Just, M., Aspinall, D.: Personal choice, challenge questions: a security and usability assessment. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2009)

    Google Scholar 

  22. Parkin, S., Inglesant, P., Sasse, M.A., van Moorsel, A.: A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: Proceedings of the 2010 Workshop on New Security Paradigms. ACM (2010)

    Google Scholar 

  23. Post, G., Kagan, A.: Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007)

    Article  Google Scholar 

  24. Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Priv. 9(2), 43–49 (2011)

    Article  Google Scholar 

  25. Sasse, M.A.: Computer security: Anatomy of a usability disaster, and a plan for recovery. In: Workshop on Human-Computer Interaction and Security Systems, CHI (2003)

    Google Scholar 

  26. Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)

    Article  Google Scholar 

  27. Sasse, M.A., Fléchais, I.: Usable security: Why do we need it? How do we get it? In: Cranor, L.F., Garfinkel, S. (eds.) Security and Usability: Designing Secure Systems that People can use, pp. 13–30. O’Reilly (2005)

    Google Scholar 

  28. Skaff, G.: An alternative to passwords? Biometric Technol. Today 15(5), 10–11 (2007)

    Article  Google Scholar 

  29. Tari, F., Ozok, A.A., Holden, S.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Symposium On Usable Privacy and Security (SOUPS) (2006)

    Google Scholar 

  30. Tukey, J.: Exploratory Data Analysis. Addison-Wesley, Reading (1977)

    MATH  Google Scholar 

  31. Whitten, A., Tygar, D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the USENIX Security Symposium (1999)

    Google Scholar 

  32. Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)

    Article  Google Scholar 

Download references

Acknowledgements

Simon Parkin and Angela Sasse’s research is funded in part by EPSRC, grant number: EP/K006517/1 (“Productive Security”). The authors would like to thank the participating university and especially their IT department for providing the data that informed this publication. The authors would like to thank Ingolf Becker for his help with the editing of this paper.

Author information

Authors and Affiliations

  1. Department of Computer Science, University College London, London, UK

    Simon Parkin, Samy Driss, Kat Krol & M. Angela Sasse

Authors
  1. Simon Parkin
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Samy Driss
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Kat Krol
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. M. Angela Sasse
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Simon Parkin .

Editor information

Editors and Affiliations

  1. University of Cambridge, Cambridge, UK

    Frank Stajano

  2. Norwegian University of Science and Technology, Trondheim, Norway

    Stig F. Mjølsnes

  3. University of Cambridge, Cambridge, UK

    Graeme Jenkinson

  4. God Praksis AS, Fyllingsdalen, Norway

    Per Thorsheim

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Parkin, S., Driss, S., Krol, K., Sasse, M.A. (2016). Assessing the User Experience of Password Reset Policies in a University. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-29938-9_2

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-29937-2

  • Online ISBN: 978-3-319-29938-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation