An In-Depth Systematic Analysis of the Security, Usability, and Automation Capabilities of Password Update Processes on Top-Ranked Websites

TL;DR

The paper addresses the insecurity and friction in password update workflows by systematically analyzing 111 top-ranked websites. It inventories whether and how these sites support security, usability, and automation for password changes and resets, using a 32-attribute protocol and dual-rater coding. The study finds highly heterogeneous, multi-step processes that often lack post-update confirmations, clear notifications, and password-manager compatibility; automation is stymied by nonstandard forms, missing autocomplete attributes, and limited adoption of the W3C change-password draft. The authors propose concrete recommendations for web developers, standard bodies, and researchers to improve usability, security, and machine-actionable support, with an emphasis on developing richer password-management APIs and broader standard adoption to enable reliable automated updates. The work contributes a data-driven view of the password update landscape and highlights critical gaps that affect both user security and the effectiveness of password managers.

Abstract

Password updates are a critical account security measure and an essential part of the password lifecycle. Service providers and common security recommendations advise users to update their passwords in response to incidents or as a critical cyber hygiene measure. However, password update processes are often cumbersome and require manual password creation. Inconsistent and complex workflows and a lack of automation capabilities for password managers further negatively impact overall password security. In this work, we perform the first in-depth systematic analysis of 111 password update processes deployed on top-ranked websites. We provide novel insights into their overall security, usability, and automation capabilities and contribute to authentication security research through a better understanding of password update processes. Websites deploy highly diverse, often complex, confusing password update processes and lack the support of password managers. Processes are often hard to use, and end-users can barely transfer experiences and knowledge across websites. Notably, protective measures designed to enhance security frequently obstruct password manager automation. We conclude our work by discussing our findings and giving recommendations for web developers, the web standardization community, and security researchers.

Figures (9)

• Figure 1: Overview of the quantifiers and percentages used throughout our results. Please note that each quantifier refers to the same number of websites throughout the analysis.
• Figure 2: Distribution of the navigation path depth of and processes (higher depth often requires more effort). Example: Profile$\rightarrow$Advanced$\rightarrow$Security$\rightarrow$Password (4).
• Figure 3: Common password forms we observed in and processes. (a) illustrates a password change page accessible via a dedicated URL, (b) shows a modal popup of a web application that does not offer a URL, (c) displays profile settings that include some password fields, (d) shows a reset form with a but no password confirmation field.
• Figure 4: Common visual feedback we observed in and processes. (a) Illustrates an explicit password change message, (b) shows a tiny, quickly disappearing cue about "Changes" that have been saved, (c) abuses a button to inform the user about saved "Settings," (d) does not display any text and instead redirects the user to the start page.
• Figure 5: (Optional) expiration setting on Microsoft's "Change your password" form (as of ).