Many users don’t change their passwords following a data breach


Even after years of hammering home the importance of online account security, some users still aren’t taking the matter seriously. In a small-scale study of real-world data, researchers found that some are failing to update breached passwords in a timely manner and continuing to both utilize weak passwords and recycle them between services.
Few things would seemingly convince someone to change their password more than the realization that the service you use that password to access has been breached and your credentials are now in the possession of an unauthorized third party.

Yet even in that clear-cut scenario, many can’t be bothered to take action.

According to a recent study from Carnegie Mellon University’s Security and Privacy Institute (CyLab) which was shared earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, only around one third of users typically change their passwords after a data breach announcement has been made.

Worse yet, this conclusion was based on real-world browser traffic, not survey data.

In this specific instance, data was collected from the home computers of 249 participants as part of the university’s Security Behavior Observatory (SBO) opt-in research group. Between January 2017 and December 2018, a full 63 participants had accounts on services that publicly announced a security breach yet only 21 (33 percent) visited the compromised site to change their password. Of the 21 that did so, only 15 changed their password within three months of the data breach announcement, ZDNet highlights.

As an opt-in study, the team of researchers also had access to the passwords of the participants. Of the 21 who changed passwords, only nine opted for a stronger password the second time around. Everyone else either created a password of similar strength or used passwords that were similar to those used to access other sites and services.