An In-Depth Systematic Analysis of the Security, Usability, and Automation Capabilities of Password Update Processes on Top-Ranked Websites

TL;DR

This paper systematically analyzes password update processes on top websites, revealing their complexity, lack of automation, and security/usability issues, and offers recommendations for improvement.

Contribution

First comprehensive analysis of password update workflows on leading websites, highlighting security, usability, and automation challenges and proposing actionable insights.

Findings

Password update processes are often complex and inconsistent.

Many websites lack support for password manager automation.

Security measures can hinder user-friendly password updates.

Abstract

Password updates are a critical account security measure and an essential part of the password lifecycle. Service providers and common security recommendations advise users to update their passwords in response to incidents or as a critical cyber hygiene measure. However, password update processes are often cumbersome and require manual password creation. Inconsistent and complex workflows and a lack of automation capabilities for password managers further negatively impact overall password security. In this work, we perform the first in-depth systematic analysis of 111 password update processes deployed on top-ranked websites. We provide novel insights into their overall security, usability, and automation capabilities and contribute to authentication security research through a better understanding of password update processes. Websites deploy highly diverse, often complex, confusing password update processes and lack the support of password managers. Processes are often hard to use, and end-users can barely transfer experiences and knowledge across websites. Notably, protective measures designed to enhance security frequently obstruct password manager automation. We conclude our work by discussing our findings and giving recommendations for web developers, the web standardization community, and security researchers.