I’m too Busy to Reset my LinkedIn Password: On the Effectiveness of Password Reset Emails

Jun Ho Huh ; Hyoungshick Kim ; Swathi S.V.P. Rayala ; Rakesh B. Bobba ; Konstantin Beznosov

07 March 2017

Abstract: A common security practice used to deal with a password breach is locking user accounts and sending out an email to tell users that they need to reset their password to unlock their account. This paper evaluates the effectiveness of this security practice based on the password reset email that LinkedIn sent out around May 2016, and through an online survey conducted on 249 LinkedIn users who received that email. Our evaluation shows that only about 46% of the participants reset their passwords. The mean time taken to reset password was 26.3 days, revealing that a significant proportion of the participants reset their password a few weeks, or even months after first receiving the email. Our findings suggest that more effective persuasive measures need to be added to convince users to reset their password in a timely manner, and further reduce the risks associated with delaying password resets.

Published in: J. H. Huh, H. Kim, S. S. V. Rayala, R. B. Bobba, K. Beznosov, “I’m too busy to reset my LinkedIn password: On the effectiveness of password reset emails,” to appear in Proceedings of the ACM SIGCHI Conference on Human Factors in Computing Systems (CHI), 2017, 5 pages.:

The record appears in these collections:
Refereed Conference Papers

 Record created 2017-03-07, last modified 2017-03-07

Download fulltextPDF Download fulltextPDF (PDFA)
Rate this document:

Rate this document:
(Not yet reviewed)