Abstract
Organisations often provide helpdesk services to users, to resolve any problems that they may have in managing passwords for their provisioned accounts. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the user’s personal costs. Here we describe exploratory analysis of a university’s helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. The scale of end-user costs was identified in log data, where follow-on exploratory interviews and NASA-RTLX assessments with 20 students exposed issues which log data did not adequately represent. The majority of users reset passwords before expiration. Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not capture the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies, for example deliberately waiting to reset a password after reaching the post-expiry grace period. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Florêncio, D., Herley, C.: Where do security policies come from?. In: Symposium on Usable Privacy and Security, p. 10. ACM (2010)
Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In: NDSS Workshop on Usable Security (USEC) (2014)
Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2010)
Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)
Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Thimbleby, H., O’Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)
Albers, M., Patton, J.T.: Measuring cognitive load to test the usability of web sites. In: Annual Conference-Society for Technical Communication, vol. 53 (2006)
Anderson, J.: Why we need a new definition of information security. Comput. Secur. 22(4), 308–313 (2003)
Arnell, S., Beautement, A., Inglesant, P., Monahan, B., Pym, D., Sasse, M.A.: Systematic decision making in security management modelling password usage and support. In: International Workshop on Quantitative Aspects in Security Assurance, Pisa, Italy (2012)
Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms. ACM (2009)
Besnard, D., Arief, B.: Computer security impaired by legitimate users. Comput. Secur. 23(3), 253–264 (2004)
Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3, 77–101 (2006)
Brostoff, S., Sasse, M.A.: Ten strikes and you’re out: Increasing the number of login attempts can improve password usability. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems (2003)
Broome, C., Streitwieser, J.: What is E-support. Service and Support Handbook. Help Desk Institute, pp. 31–40 (2002)
Byers, J.C., Bittner, A.C., Hill, S.G.: Traditional and raw task load index (TLX) correlations: are paired comparisons necessary. Adv. Ind. Ergon. Saf. I, 481–485 (1989)
Coles, R.: Keynote address. In: Eighth Workshop on the Economics of Information Security (WEIS 2009), pp. 24–25. University College London, England (2009)
Charoen, D., Raman, M., Olfman, L.: Improving end user behaviour in password utilization: An action research initiative. Syst. Pract. Action Res. 21(1), 55–72 (2008)
Hart, S., Staveland, L.: Development of NASA-TLX (Task Load Index): results of empirical and theoretical research. Adv. Psychol. 52, 139–183 (1988)
Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. ACM (2009)
Inglesant, P., Sasse, M.A.: The true cost of unusable password policies: Password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM (2010)
Jakobsson, M., Myers, S. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley, New Jersey (2006)
Just, M., Aspinall, D.: Personal choice, challenge questions: a security and usability assessment. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2009)
Parkin, S., Inglesant, P., Sasse, M.A., van Moorsel, A.: A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: Proceedings of the 2010 Workshop on New Security Paradigms. ACM (2010)
Post, G., Kagan, A.: Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007)
Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Priv. 9(2), 43–49 (2011)
Sasse, M.A.: Computer security: Anatomy of a usability disaster, and a plan for recovery. In: Workshop on Human-Computer Interaction and Security Systems, CHI (2003)
Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)
Sasse, M.A., Fléchais, I.: Usable security: Why do we need it? How do we get it? In: Cranor, L.F., Garfinkel, S. (eds.) Security and Usability: Designing Secure Systems that People can use, pp. 13–30. O’Reilly (2005)
Skaff, G.: An alternative to passwords? Biometric Technol. Today 15(5), 10–11 (2007)
Tari, F., Ozok, A.A., Holden, S.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Symposium On Usable Privacy and Security (SOUPS) (2006)
Tukey, J.: Exploratory Data Analysis. Addison-Wesley, Reading (1977)
Whitten, A., Tygar, D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the USENIX Security Symposium (1999)
Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)
Acknowledgements
Simon Parkin and Angela Sasse’s research is funded in part by EPSRC, grant number: EP/K006517/1 (“Productive Security”). The authors would like to thank the participating university and especially their IT department for providing the data that informed this publication. The authors would like to thank Ingolf Becker for his help with the editing of this paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Parkin, S., Driss, S., Krol, K., Sasse, M.A. (2016). Assessing the User Experience of Password Reset Policies in a University. In: Stajano, F., Mjølsnes, S.F., Jenkinson, G., Thorsheim, P. (eds) Technology and Practice of Passwords. PASSWORDS 2015. Lecture Notes in Computer Science(), vol 9551. Springer, Cham. https://doi.org/10.1007/978-3-319-29938-9_2
Download citation
DOI: https://doi.org/10.1007/978-3-319-29938-9_2
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-29937-2
Online ISBN: 978-3-319-29938-9
eBook Packages: Computer ScienceComputer Science (R0)