Today I emailed a number of our users, asking them to change their passwords. To be exact, I emailed 7462 users, which in itself is a bit of a logistical exercise, when you want each mail to be personalized.
Of them, we got some 250 or so bounces – that I saw, anyway, I was smart and redirected them to a colleague. This was quite expected, and will help us improve the data quality.
We also received, during the time that I was there, 75 or so mails from people who were confused, or had problems logging in. This over the course of about 2 hours. This was also expected, although some of the responses were a bit more over the top than I’d expected. People seem to not want to change their passwords.
I had the pleasure of handling some of the support requests, and I think I can happily say that they are mostly an issue of noone having used this system before. People didn’t know what their user name was (even though it was stated in the email), not did they know what password was to be changed. Still, apart from the 75 or so support requests I saw, more than 400 people have managed to change their passwords. All in all, I am quite satisfied at this first try – we knew it was going to be a hassle, and it’s proven us right. 😉 It will hopefully improve a lot when we send out the 2nd and 3rd rounds in a few weeks time, and be much, much better when we do it all over in February.
People never read e-mails properly. I regularly send people password-protected URLs, with the username and password directly underneath the URL. I would say 90% of the time I get an e-mail back saying “but it’s asking me for a username and password”…
And I know it’s considered good practice to force password changes, but I’m not convinced:
– if a password is a secret, then its efficacy does not deteriorate with time
– if the secrecy of a password can be broken after the lifetime of the password, then it can be broken within the lifetime of the password
– if a password is no longer a secret, then the new one will escape in the same way as before
For forced password changes to be effective, passwords would need to be changed at every login or every day to mitigate the risks, but that is impractical.
Furthermore, users get to know their passwords. Change it and they’ll have a hard time remembering the new one – they therefore either write it down (reducing secrecy), or make their new password a minor variant of the previous (leaving it easy to guess), effectively negating the purpose of changing passwords. Or worse, they attempt to memorise it, fail, and then have to keep contacting you to get it changed.
Passwords are flawed, and forcing them to be changed skims over the true issues and just introduces new problems. If the account is worth protecting, use two-factor authentication; otherwise enforce strong passwords, take steps to defend against brute force and dictionary attacks, make users aware of the dangers, and take no further responsibility for account security.
Wow, I wrote an essay! Does any of that make sense, or have I overlooked something obvious?
It’s plain stupid and ignorant to tell someone that the password they have chosen for there own isn’t good enough for you any longer.
It seems to me that the only reason someone would tell a user that they must change their password is because the company, organization or whatever has had their files hacked and passwords of users were or possible were, compromised because of the company/organization’s lack of proper security and contorl over they system they run/service.