Many users don't change their passwords following a data breach

Shawn Knight

Posts: 12,297   +120
Staff member

Few things would seemingly convince someone to change their password more than the realization that the service you use that password to access has been breached and your credentials are now in the possession of an unauthorized third party.

Yet even in that clear-cut scenario, many can’t be bothered to take action.

According to a recent study from Carnegie Mellon University's Security and Privacy Institute (CyLab) which was shared earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, only around one third of users typically change their passwords after a data breach announcement has been made.

Worse yet, this conclusion was based on real-world browser traffic, not survey data.

In this specific instance, data was collected from the home computers of 249 participants as part of the university’s Security Behavior Observatory (SBO) opt-in research group. Between January 2017 and December 2018, a full 63 participants had accounts on services that publicly announced a security breach yet only 21 (33 percent) visited the compromised site to change their password. Of the 21 that did so, only 15 changed their password within three months of the data breach announcement, ZDNet highlights.

As an opt-in study, the team of researchers also had access to the passwords of the participants. Of the 21 who changed passwords, only nine opted for a stronger password the second time around. Everyone else either created a password of similar strength or used passwords that were similar to those used to access other sites and services.

Image credit: Michael H Jones, sabrisy

Permalink to story.



Posts: 2,870   +2,594
#1 Be very careful, first of all, how much personal data you share in the first place.

#2 Keep your passwords memorable.



Posts: 2,496   +2,087
Started using on of those password managers recently. Not as convenient as having a password that you can remember but it does give you a sense of security when you have a long, random password different for every site. If you're unsure about privacy there is free open source software out there.