Policies that require employees to update their passwords regularly have become common at government and university organizations. However, prior work has suggested that forced password expiration might have limited security benefits, or could even cause harm. For example, users might react to forced password expiration by writing down or picking easy-to-guess passwords. We conducted two surveys through which we examined people’s behaviors in using and updating workplace passwords, and their attitudes toward four previously studied password management behaviors, including periodic password changes. Our findings indicate that people seem to accept the security advice they are provided. Although they did not view it to be as important as the other behaviors tested, participants believed regular password changes had a positive impact on account security. However, we found that participants generally had an incomplete understanding of password threat models, and updated their passwords using strategies that were likely to lead to predictable passwords.
Chelse Swoopes is a Research Associate in the CyLab Usable Privacy and Security Lab (CUPS) at Carnegie Mellon University. She received her B.S. in Mathematics from Mississippi State University in 2016 and her M.S. in Electrical and Computer Engineering from Carnegie Mellon University in 2017. Chelse's research interests span many areas of privacy and security. Her recent work focuses on analyzing consent and opt-out choices in online privacy policies and investigating password management practices.