Password Change Statistics

The reports in this directory get generated on the 8th of each month. The format of the email changed with the advent of the NSSPR (NetID Self-Service Password Reset) project in December 2015 and again in June of 2017 in preparation for the new UW NetID sign-up project.

Note that one of the deliverables of the NSSPR project was the discontinuation of secret questions. It was determined that the whole concept of secret questions is a Bad Idea™.

Secret question counts (Pre-June 2017)

    20 people with 0 questions.
    80 people with 1 question.
   645 people with 2 questions.
 46922 people with 3 questions.
  4478 people with 4 questions.
  1193 people with 5 questions.
  1165 people with 6 questions.
  3399 people with 7 questions.
   336 people with 8 questions.
    17 people with 9 questions.
     8 people with 10 questions.
     2 people with 12 questions.
 -----
 57520 people with 3+ questions.

This section lists the number of people who had the indicated number of questions. People with fewer than 3 questions cannot use their secret questions to reset their password. People listed as having zero questions are the ones who had questions last month but not this month.

Reminders (Pre-June 2017)

  2767 people are ripe to be reminded to test questions.

After giving them time to forget the answers to their questions, a reminder is sent asking people to test their questions to see whether they can really answer them. The time period was originally 6 months after the questions were established or last changed. It was changed to 2 months in April of 2004.

Note that no reminders have actually been sent out since sometime before September 2005, when these archives start, due to the fact that we had some bad email addresses. It was eventually decided that reminders should be disabled permanently since they looked too much like phishing attempts. C'est la vie. It's all moot now that secret questions are deprecated.

Custom Questions (Pre-June 2017)

 32633 people with 0 custom questions.
 28733 people with 1 custom question.
  1347 people with 2 custom questions.
   149 people with 3 custom questions.
    13 people with 4 custom questions.
     1 person with 5 custom questions.
     2 people with 6 custom questions.
The custom questions section lists the number of people who set up their own custom secret questions.

New User Counts (Pre-June 2017)

   New users (source 1, hepps):
    21 people with 0 questions.
     2 people with 2 questions.
   221 people with 3 questions.
    12 people with 4 questions.
     1 person with 5 questions.
     1 person with 6 questions.
     2 people with 7 questions.

   New users (source 2, students):
    81 people with 0 questions.
     1 person with 1 question.
    50 people with 2 questions.
  3346 people with 3 questions.
   279 people with 4 questions.
    69 people with 5 questions.
    48 people with 6 questions.
   110 people with 7 questions.
     2 people with 8 questions.
     1 person with 9 questions.

   New users (source 7, advance):
     3 people with 0 questions.
     1 person with 2 questions.
   121 people with 3 questions.
     5 people with 4 questions.
     1 person with 5 questions.
     1 person with 6 questions.
     2 people with 7 questions.
The new user counts is a tally of the number secret questions that were established with the new NetIDs that were created that month.

New User Counts (Post-June 2017)

   UW NetID creations:
      Total:                    3082    Percent
        UW Human Resources:      421   ( 13.7%)   Percent
          2FA:                   217   (  7.0%)  ( 51.5%)
          Forwarding:            410   ( 13.3%)  ( 97.4%)
          Recovery:              352   ( 11.4%)  ( 83.6%)
        UW Students:            1804   ( 58.5%)   Percent
          Forwarding:           1444   ( 46.9%)  ( 80.0%)
          Recovery:             1488   ( 48.3%)  ( 82.5%)
        Supplemental:            236   (  7.7%)   Percent
          Forwarding:            217   (  7.0%)  ( 91.9%)
          Recovery:              177   (  5.7%)  ( 75.0%)
        Advance:                  84   (  2.7%)   Percent
          Forwarding:             73   (  2.4%)  ( 86.9%)
          Recovery:               66   (  2.1%)  ( 78.6%)
        Cascadia:                235   (  7.6%)   Percent
          Forwarding:            188   (  6.1%)  ( 80.0%)
          Recovery:              149   (  4.8%)  ( 63.4%)
        SCCA:                      4   (  0.1%)   Percent
          Forwarding:              4   (  0.1%)  (100.0%)
          Recovery:                3   (  0.1%)  ( 75.0%)
        HEAL-WA:                 196   (  6.4%)   Percent
          2FA:                     1   (  0.0%)  (  0.5%)
          Forwarding:            174   (  5.6%)  ( 88.8%)
          Recovery:              167   (  5.4%)  ( 85.2%)
        OEA:                      98   (  3.2%)   Percent
          Forwarding:             61   (  2.0%)  ( 62.2%)
          Recovery:               50   (  1.6%)  ( 51.0%)
        Family Med Res:            3   (  0.1%)   Percent
          Forwarding:              2   (  0.1%)  ( 66.7%)
          Recovery:                2   (  0.1%)  ( 66.7%)
        Internal Med Res:          1   (  0.0%)   Percent
          Forwarding:              1   (  0.0%)  (100.0%)
          Recovery:                1   (  0.0%)  (100.0%)

The UW NetID creations is a tally of the number of UW NetIDs that were created under the indicated source for the given time period.

The 2FA, Forwarding and Recovery lines indicate the number of the source total above it who activated the indicated service within five hours of creating their UW NetID.

Each percentage indicates what portion the count on this line is of the count on the line above it containing the word “Percent” in that column.

Password Changes (Pre-NSSPR)

   Password changes:
	With PW:	  3144   ( 57%)
	Reset:		  2389   ( 43%)  (100%)

	By root:	  1055   ( 19%)  ( 44%)
	W/O  PW:	  1334   ( 24%)  ( 56%)  (100%)

	With PAC:	   527   ( 10%)  ( 22%)  ( 40%)
	With QnA:	   807   ( 15%)  ( 34%)  ( 60%)  (100%)

	With 3 Q:	   723   ( 13%)  ( 30%)  ( 54%)  ( 90%)
	With 4 Q:	    57   (  1%)  (  2%)  (  4%)  (  7%)
	With 5 Q:	    10   (  0%)  (  0%)  (  1%)  (  1%)
	With 6 Q:	     6   (  0%)  (  0%)  (  0%)  (  1%)
	With 7 Q:	    11   (  0%)  (  0%)  (  1%)  (  1%)
The password change stats indicate the methods used to change passwords throughout the month. First it's divided between those people who used their existing password for authentication (With PW) or via other means (Reset). Password-authenticated password changes would be via the Manage your NetID Resources web page, the user using the passwd utility on a unix host or other standard supported Kerberos methods. Reset passwords are either done via the Change a Forgotten Password web site (W/O PW) or by calling C&CI (By root).

The W/O PW password changes are then broken down further based on whether they were done with a PAC or secret questions. The secret question changes are then broken down by how many questions the user had established.

Password Changes (Post-NSSPR)

  Password changes:
      Total:                    8004    Percent
        Superuser:               161   (  2.0%)
        User:                   7843   ( 98.0%)   Percent
          Manage:               3055   ( 38.2%)  ( 39.0%)
          Unix:                    6   (  0.1%)  (  0.1%)
          Recovery:             2503   ( 31.3%)  ( 31.9%)   Percent
            SMS:                1236   ( 15.4%)  ( 15.8%)  ( 49.4%)
            Email:               591   (  7.4%)  (  7.5%)  ( 23.6%)
            TSC:                 676   (  8.4%)  (  8.6%)  ( 27.0%)
          Legacy:               1583   ( 19.8%)  ( 20.2%)   Percent
            PAC:                 651   (  8.1%)  (  8.3%)  ( 41.1%)
            QnA:                 840   ( 10.5%)  ( 10.7%)  ( 53.1%)
            Email:                92   (  1.1%)  (  1.2%)  (  5.8%)
          SAML:                  259   (  3.2%)  (  3.3%)   Percent
            Cascadia:             43   (  0.5%)  (  0.5%)  ( 16.6%)
            Collnet:             145   (  1.8%)  (  1.8%)  ( 56.0%)
            FHCRC:                16   (  0.2%)  (  0.2%)  (  6.2%)
            SCCA:                 55   (  0.7%)  (  0.7%)  ( 21.2%)
          Supplemental:          437   (  5.5%)  (  5.6%)   Percent
            Admin:                 8   (  0.1%)  (  0.1%)  (  1.8%)
            Shared:              429   (  5.4%)  (  5.5%)  ( 98.2%)

The password change stats indicate the methods used to change passwords throughout the month. First it's divided between the superuser password changes versus password changes performed by the users themselves. The NSSPR project greatly reduced the number of Superuser password changes required.

The user performed password updates are further divided based on how the password was changed:

In the first two cases, the user has specified his existing password for authentication. The NSSPR password resets are further divided based on how the user authenticated:

In each of these cases, the total count of password changes using the indicated method is shown. The percentage shown is the percent of the total shown on the line indicated with the Percent header immediately above it. For example, the 840 passwords reset using QnA, aka "secret questions", above account for 53.1% of the 1,583 Legacy password resets, 10.7% of the 7,843 User password resets and 10.5% of the 8,004 total password changes.

Failed Secret Question Resolution (Pre-June 2017)

   QnA Fail Resolution: < 1 hr   3 hr   8 hr  24 hr  36 hr   more
        With QnA:          776      1      1      3      4     14
        With PAC            15      0      2      8      2     11
        With PW:            25      0      1      1      0      7
        By Root:            31      5      1      8      0     14
        Never:             454
        Total:            1384

For the people who entered their secret questions incorrectly while trying to change their password, this section attempts to analyze what method they fell back to to get their password changed. In the above list, 776 of them successfully entered their answers within an hour. The "By Root" number indicates a call to C&CI. The number listed as "with PAC" prior to April 2004 must also have involved a call to C&CI as the questions would need to be cleared to use a PAC.

Secret Question Check (Pre-June 2017)

   QnA Check	    Okay      Bad    Short   No Ans
	3 Q:	     808     2146      157      395
	4 Q:	      60      273       16       76
	5 Q:	      13       48        6       33
	6 Q:	       6       38        8       22
	7 Q:	      12       65       13       21

The QnA Check table lists the number of attempts made to authenticate using the secret questions in order to change a password.

Secret Question Test (Pre-June 2017)

   QnA Test	     Try     Okay      Bad    Short   No Ans
	3 Q:	       1      404      298       33       43
	3 Q:	       2       63      207       13       11
	3 Q:	       3       25      113        3        0
	3 Q:	       4        6       58        0        1
	3 Q:	       5        2       38        0        0
	4 Q:	       1       21       35        1        9
	4 Q:	       2        3       25        2        2
	4 Q:	       3        4        7        0        0
	4 Q:	       4        0        8        0        0
	4 Q:	       5        0        4        0        0
	5 Q:	       1        8        8        2        4
	5 Q:	       2        1        5        0        2
	5 Q:	       3        1        1        0        1
	5 Q:	       4        0        1        0        0
	5 Q:	       5        0        1        0        0
	6 Q:	       1        4        5        0        5
	6 Q:	       2        0        2        0        0
	6 Q:	       3        0        1        0        0
	6 Q:	       4        0        1        0        0
	6 Q:	       5        0        1        0        0
	7 Q:	       1        4        3        1        4
	7 Q:	       2        1        3        0        3
	7 Q:	       3        0        1        0        1

The QnA Test section lists the number of people who went to the Test Your Secret Questions section of the Manage Your NetID Resources web tool. For the people with 3 questions above, 404 answered their questions properly on the first try. 63 more got them on the second try, etc. The No Ans column indicates that the validation failed because one or more of the questions were left unanswered. Short indicates one or more answer was fewer than the required 4 characters and Bad indicates that all the answers were filled in and were long enough, but one or more was the incorrect answer.


Ken Lowe
Email -- ken@cac.washington.edu
Web -- http://staff.washington.edu/krl/