Password updates are a critical part of the password lifecycle and are recommended following exposure of reused passwords or suspected compromise. However, password update processes are often cumbersome, require manual password creation, and involve inconsistent website workflows that hinder reliable automation by password managers. In this work, we conduct the first in-depth, systematic analysis of 111 password update processes deployed on top-ranked websites. We provide novel insights into their overall security, usability, and automation capabilities, and contribute to authentication security research by improving the understanding of password update processes. Websites often deploy highly diverse, complex, and confusing password update processes that are not supported by password managers. Processes are often challenging to use, and end-users struggle to transfer experience and knowledge across websites. Notably, security measures designed to enhance security often hinder password manager automation. We conclude our work by discussing our findings and giving recommendations for web developers, the web standardization community, and security researchers.

翻译：暂无翻译