How to Effectively Communicate Benefits of Introducing a Modern Password Policy to Employees in Companies

Traditional password policies comprise rules to enforce a complex composition and demand mandatory changes in frequent intervals. Nowadays, we know that more modern password policies favoring length over complexity and abstaining from frequent password changes offer a better usability and provide higher security compared to the old-fashioned policies. Shifting from such a demanding password policy to a modern one unburdens users long-term and thus, can be used to formulate a deal offering this long-term benefit in exchange for a short-term time cost. In this paper we present a study investigating such a deal: employees of a company were offered to change to a more usable password policy, but in return they were asked to first watch a short explanatory video about password security and then subsequently change their password according to the new policy and the advice in the video. To that end, we created a communication package comprising an introductory email and an explanatory video. The results of our user study show that this approach can be an effective way to shift to a contemporary password policy and - at the same time - raise awareness about issues and misconceptions surrounding password security among users.