This study identifies a systemic tension among security, usability, and automation support in mainstream websites’ password change workflows—characterized by procedural complexity, inconsistency, and poor password manager compatibility, thereby undermining users’ security practices. We conduct the first large-scale empirical analysis of password update mechanisms across the Alexa Top 111 websites, integrating process modeling, compliance assessment against cybersecurity standards (e.g., NIST SP 800-63), and human-computer interaction evaluation. Results show that over 85% of sites violate principles of minimal user interaction and automation-friendliness, leading to high password manager integration failure rates and elevated user error likelihood. Based on these findings, we propose a “security–usability–automation” co-design paradigm, offering both theoretical foundations and actionable optimization pathways for authentication protocol evolution, web standard revision, and developer implementation practices.

Password updates are a critical account security measure and an essential part of the password lifecycle. Service providers and common security recommendations advise users to update their passwords in response to incidents or as a critical cyber hygiene measure. However, password update processes are often cumbersome and require manual password creation. Inconsistent and complex workflows and a lack of automation capabilities for password managers further negatively impact overall password security. In this work, we perform the first in-depth systematic analysis of 111 password update processes deployed on top-ranked websites. We provide novel insights into their overall security, usability, and automation capabilities and contribute to authentication security research through a better understanding of password update processes. Websites deploy highly diverse, often complex, confusing password update processes and lack the support of password managers. Processes are often hard to use, and end-users can barely transfer experiences and knowledge across websites. Notably, protective measures designed to enhance security frequently obstruct password manager automation. We conclude our work by discussing our findings and giving recommendations for web developers, the web standardization community, and security researchers.