Assessing the User Experience of Password Reset Policies in a University

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9551)


Organisations often provide helpdesk services to users, to resolve any problems that they may have in managing passwords for their provisioned accounts. Helpdesk logs record password change events and support requests, but overlook the impact of compliance upon end-user productivity. System managers are not incentivised to investigate these impacts, so productivity costs remain with the end-user. We investigate how helpdesk log data can be analysed and augmented to expose the user’s personal costs. Here we describe exploratory analysis of a university’s helpdesk log data, spanning 30 months and 500,000 system events for approximately 10,000 staff and 20,000-plus students. The scale of end-user costs was identified in log data, where follow-on exploratory interviews and NASA-RTLX assessments with 20 students exposed issues which log data did not adequately represent. The majority of users reset passwords before expiration. Log analysis indicated that the online self-service system was vastly preferred to the helpdesk, but that there was a 4:1 ratio of failed to successful attempts to recover account access. Log data did not capture the effort in managing passwords, where interviews exposed points of frustration. Participants saw the need for security but voiced a lack of understanding of the numerous restrictions on passwords. Frustrations led to adoption of diverse coping strategies, for example deliberately waiting to reset a password after reaching the post-expiry grace period. We propose ways to improve support, including real-time communication of reasons for failed password creation attempts, and measurement of timing for both successful and failed login attempts.



Simon Parkin and Angela Sasse’s research is funded in part by EPSRC, grant number: EP/K006517/1 (“Productive Security”). The authors would like to thank the participating university and especially their IT department for providing the data that informed this publication. The authors would like to thank Ingolf Becker for his help with the editing of this paper.


  1. 1.
    Florêncio, D., Herley, C.: Where do security policies come from?. In: Symposium on Usable Privacy and Security, p. 10. ACM (2010)Google Scholar
  2. 2.
    Kirlappos, I., Parkin, S., Sasse, M.A.: Learning from “Shadow Security”: Why understanding non-compliance provides the basis for effective security. In: NDSS Workshop on Usable Security (USEC) (2014)Google Scholar
  3. 3.
    Shay, R., Komanduri, S., Kelley, P.G., Leon, P.G., Mazurek, M.L., Bauer, L., Cranor, L.F.: Encountering stronger password requirements: user attitudes and behaviors. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2010)Google Scholar
  4. 4.
    Adams, A., Sasse, M.A.: Users are not the enemy. Commun. ACM 42(12), 40–46 (1999)CrossRefGoogle Scholar
  5. 5.
    Adams, A., Sasse, M.A., Lunt, P.: Making passwords secure and usable. In: Thimbleby, H., O’Conaill, B., Thomas, P.J. (eds.) People and Computers XII, pp. 1–19. Springer, London (1997)Google Scholar
  6. 6.
    Albers, M., Patton, J.T.: Measuring cognitive load to test the usability of web sites. In: Annual Conference-Society for Technical Communication, vol. 53 (2006)Google Scholar
  7. 7.
    Anderson, J.: Why we need a new definition of information security. Comput. Secur. 22(4), 308–313 (2003)CrossRefGoogle Scholar
  8. 8.
    Arnell, S., Beautement, A., Inglesant, P., Monahan, B., Pym, D., Sasse, M.A.: Systematic decision making in security management modelling password usage and support. In: International Workshop on Quantitative Aspects in Security Assurance, Pisa, Italy (2012)Google Scholar
  9. 9.
    Beautement, A., Sasse, M.A., Wonham, M.: The compliance budget: managing security behaviour in organisations. In: Proceedings of the 2008 Workshop on New Security Paradigms. ACM (2009)Google Scholar
  10. 10.
    Besnard, D., Arief, B.: Computer security impaired by legitimate users. Comput. Secur. 23(3), 253–264 (2004)CrossRefGoogle Scholar
  11. 11.
    Braun, V., Clarke, V.: Using thematic analysis in psychology. Qual. Res. Psychol. 3, 77–101 (2006)CrossRefGoogle Scholar
  12. 12.
    Brostoff, S., Sasse, M.A.: Ten strikes and you’re out: Increasing the number of login attempts can improve password usability. In: Proceedings of CHI 2003 Workshop on HCI and Security Systems (2003)Google Scholar
  13. 13.
    Broome, C., Streitwieser, J.: What is E-support. Service and Support Handbook. Help Desk Institute, pp. 31–40 (2002)Google Scholar
  14. 14.
    Byers, J.C., Bittner, A.C., Hill, S.G.: Traditional and raw task load index (TLX) correlations: are paired comparisons necessary. Adv. Ind. Ergon. Saf. I, 481–485 (1989)Google Scholar
  15. 15.
    Coles, R.: Keynote address. In: Eighth Workshop on the Economics of Information Security (WEIS 2009), pp. 24–25. University College London, England (2009)Google Scholar
  16. 16.
    Charoen, D., Raman, M., Olfman, L.: Improving end user behaviour in password utilization: An action research initiative. Syst. Pract. Action Res. 21(1), 55–72 (2008)CrossRefGoogle Scholar
  17. 17.
    Hart, S., Staveland, L.: Development of NASA-TLX (Task Load Index): results of empirical and theoretical research. Adv. Psychol. 52, 139–183 (1988)CrossRefGoogle Scholar
  18. 18.
    Herley, C.: So long, and no thanks for the externalities: The rational rejection of security advice by users. In: Proceedings of the 2009 Workshop on New Security Paradigms Workshop. ACM (2009)Google Scholar
  19. 19.
    Inglesant, P., Sasse, M.A.: The true cost of unusable password policies: Password use in the wild. In: Proceedings of the SIGCHI Conference on Human Factors in Computing Systems. ACM (2010)Google Scholar
  20. 20.
    Jakobsson, M., Myers, S. (eds.): Phishing and Countermeasures: Understanding the Increasing Problem of Electronic Identity Theft. Wiley, New Jersey (2006)Google Scholar
  21. 21.
    Just, M., Aspinall, D.: Personal choice, challenge questions: a security and usability assessment. In: Symposium on Usable Privacy and Security (SOUPS). ACM (2009)Google Scholar
  22. 22.
    Parkin, S., Inglesant, P., Sasse, M.A., van Moorsel, A.: A stealth approach to usable security: helping IT security managers to identify workable security solutions. In: Proceedings of the 2010 Workshop on New Security Paradigms. ACM (2010)Google Scholar
  23. 23.
    Post, G., Kagan, A.: Evaluating information security tradeoffs: Restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007)CrossRefGoogle Scholar
  24. 24.
    Reeder, R., Schechter, S.: When the password doesn’t work: secondary authentication for websites. IEEE Secur. Priv. 9(2), 43–49 (2011)CrossRefGoogle Scholar
  25. 25.
    Sasse, M.A.: Computer security: Anatomy of a usability disaster, and a plan for recovery. In: Workshop on Human-Computer Interaction and Security Systems, CHI (2003)Google Scholar
  26. 26.
    Sasse, M.A., Brostoff, S., Weirich, D.: Transforming the ‘weakest link’ a human/computer interaction approach to usable and effective security. BT Technol. J. 19(3), 122–131 (2001)CrossRefGoogle Scholar
  27. 27.
    Sasse, M.A., Fléchais, I.: Usable security: Why do we need it? How do we get it? In: Cranor, L.F., Garfinkel, S. (eds.) Security and Usability: Designing Secure Systems that People can use, pp. 13–30. O’Reilly (2005)Google Scholar
  28. 28.
    Skaff, G.: An alternative to passwords? Biometric Technol. Today 15(5), 10–11 (2007)CrossRefGoogle Scholar
  29. 29.
    Tari, F., Ozok, A.A., Holden, S.: A comparison of perceived and real shoulder-surfing risks between alphanumeric and graphical passwords. In: Symposium On Usable Privacy and Security (SOUPS) (2006)Google Scholar
  30. 30.
    Tukey, J.: Exploratory Data Analysis. Addison-Wesley, Reading (1977)zbMATHGoogle Scholar
  31. 31.
    Whitten, A., Tygar, D.: Why Johnny can’t encrypt: a usability evaluation of PGP 5.0. In: Proceedings of the USENIX Security Symposium (1999)Google Scholar
  32. 32.
    Zviran, M., Haga, W.J.: A comparison of password techniques for multilevel authentication mechanisms. Comput. J. 36(3), 227–237 (1993)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.Department of Computer ScienceUniversity College LondonLondonUK

Personalised recommendations