SSO account holders are automatically emailed when their password needs to be changed – but surely any email that says “access to your account will be restricted until you have logged in here <url>” will be counted as a phishing message and ignored.
The template in current use was designed in 2006, and aside from a few minor adjustments has remained largely the same for over 5 years. Although x0,000 users process it smoothly each year, it certainly does exhibit several characteristics that should trigger caution from a responsible user. Recently there has been a campaign to raise user awareness of phishing and, whether consequently or coincidentally, there is (anecdotal) evidence of increased numbers of enquiries about the authenticity of our internal messages, including password expiry notifications.
Designing a good template for this message is hard. On one hand there is a desire to avoid looking like a phishing email – mentioning account management, loss / restriction of access, and providing links to reset / confirm account details are all features that should sound alarm bells for most users. On the other hand, the very nature of what we need to communicate means that in order to be effective a message will touch on these aspects – and users will expect us to make life easy with a handy link.
We have recently invited Oxford ITSS to suggest improved versions of the “password expiry” template by emailing them to firstname.lastname@example.org. Other members of the University are welcome to contribute to this as well, through the same channel.