Today, especially as organizations continue to work a mostly remote workforce or a hybrid environment, organizations have to find the perfect balance between a secure network and usability for their end users. Unfortunately, while passwords remain the necessary evil in protecting many of our online applications, the practice of repeatedly changing one's password does contribute to a better cybersecurity hygiene. However, while setting up password expiration and forcing users to change their password have their benefits, your users and employees will complain if they have to change it too often. This is where password expiration notification comes into play.
Password expiration is known as a best practice for password security, but while the safest approach to password expiration is changing it daily, organizations have to balance security and user experience. To be fair, if a user had to change their password at the end of their shift, it would turn the closing time into a mayhem of disaster. Once an organization can achieve this harmony, an IT department must strongly consider utilizing a password expiration notification system. This system is very self-explanatory, where users receive a notification that their password is going to expire soon, not immediately, giving users a 'heads-up' that they have to change their password. A very popular option is to notify users through email as compared to the 'old-school' days of the help desk having to call each user about password expiration. Emailing users lightens the load on the help desk, and it is a simple and automatic process for IT administrators to setup. However, there is more than just setting up the system and calling it a day.
With password expiration notification, this is a multi-step approach. Password expiration notifications are initially sent out 1-2 weeks prior to an end users password expiration date, and subsequent emails are sent on a predetermined schedule until the day when the password is no longer valid.
Now, the theory follows that these end users will be proactive and change their password before the actual expiration date, which seems highly optimistic. In my opinion, while this notification process is good to have, many users may ignore it until it is too late. They may cry 'big bad wolf' and wished that they knew there password was going to expire before it did. It's impossible to win with those users.
In light of that, let's review some of pros & cons of Password Expiration Notification.
Email Password Expiration Notification - Benefits and Disadvantages
- Prompted Action - Who doesn't love a little friendly reminder? We're all engrossed in our little worlds, completing tasks and finishing projects, but when you see a gentle reminder that your password will expire soon, it puts the password on your radar. Maybe you will have a free second to change it or you can prepare accordingly.
- Configurable Schedule - Setting an email password expiration notification schedule will greatly increase both awareness and likelihood that end users will actively change or update their passwords. Additionally, if the first email does not get users to put 'change password' on their radar, the second and third ones most likely will. Using a self-service password reset solution will also alleviate the process for both the end-user and the Help Desk.
- Convenient - Let's face it, sending one email in an email blast is a very convenient method of communication. Notifications today are practically automated, so setting up a password expiration notification through email makes the process simple on the administration side. Also, most end users are constantly checking their email or getting notifications for emails, so emailing password expiration notifications can be an effective and natural way to gently remind the masses about their email expiring, especially in educational institutions.
- Surge in Email Traffic - Depending on the size of your environment, the frequency of password expiration emails, the time of day of the email blast, and if password expirations occur all at once throughout your institutions, networks can see a huge surge traffic and bandwidth usage when relying on email password expiration notifications. This can ultimately lead to latency issues for your network and lower bandwidth during critical periods of time, and that's not even mentioning the potential storage issues for your poor exchange server. An even worse scenario is that many employees may be on vacation and have auto-emails set up like "Will be back in Office Next Week" which also increases the email traffic surge.
- Lost in Spam - Although email continues to be one of the primary ways to communicate, it definitely still has its drawbacks. In 2021, an end-user's daily average for received emails is 126 but 55% of them are recorded as spam. Yikes! With all this email traffic hitting a user's inbox, your password expiration notification email may be lost in the mud amongst all the other daily work emails.
- No direct confirmation - As business professionals, we like to believe that our emails are opened, fully read, and the receivers take the necessary action immediately. The reality of the situation is that without being able to track our employees' actions, there is no way to know. With remote work becoming the norm, it is much more difficult to directly reach out to employees on password resets, and sending out the password expiration notification via email does not generally provide the direct feedback that picking up the phone or face to face conversations have. But with the pandemic and remote work, what can you really do?
- Easily Dismissible - There is really no way to force an end user to actually open an email. You can dress it up and make it as enticing as possible to get them to click, but at the end of the day, an email password expiration notification can be easily overlooked.
Password security is still an unnecessary evil for overall network security, but unfortunately, it can be a liability if not managed properly by an IT department. The strength of an organization's network security is dictated by the technical leaders, but can be critically hampered by the end users.
There is an old saying: you can lead a horse to water, but you can't make it drink.
This is especially true when it comes to password expiration notifications. The best an IT department can do is educate and communicate to their end users so they become reliant. Although I do not think that emailing password expiration notifications is the end all be all, I do think it is an important practice to incorporate within an organization's security measures, especially if the organization is trying to hold the balance between security and usability.
With this in mind, Self-Service Password Reset is a great solution to alleviate the pressure and unnecessary frustration that commonly take place with resetting passwords. Through Self-Service Password Resets (SSPR), users do not need to contact the help desk and wait a long time to change their password. This greatly reduces costs and does not waste time that could be now used for projects or other tasks.
I truly believe that a technical team should be responsible for building awareness and validating the importance of IT security to their end users. Instilling the understanding that each and every one of our online daily activities has an impact on security goes a long way toward creating the perfect harmony between security and usability.