Do people voluntarily change passwords when instructed to?
Study: Change UD Password
Date: April 2014
On April 9, 2014 members of the University of Delaware community were instructed to change their UDelNet passwords by April 23. This measure was taken due to the discovery of the Heartbleed SSL vulnerability, although the University said there was no evidence at the time that any of their servers had surrendered password information.
The University then reported that as of the April 23rd deadline 14,500 people (3,600 employees and 8,300 undergraduate students) had followed this advice and changed their passwords. However, that left 16,000 people (53%) apparently who had yet to follow the advice.
Those people who still hadn't voluntarily changed their passwords were going to be forced by the UDelNet authentication system to do so by the end of May.
It is possible that the University's language about Heartbleed being only a possible threat may have led some people to be less concerned about the need to change their password. If a more definite threat had been reported the number of people changing passwords may have increased.