The majority of people don’t change their passwords following a breach.
Angela Lang/CNET
Most people don’t take changing their passwords too seriously following a data breach, a recent study found. Just about a third of users typically change their passwords after an announcement about a breach, according to a study from the Carnegie Mellon University’s Security and Privacy Institute (CyLab), presented earlier this month.
Researchers analyzed web traffic gathered through the university’s Security Behavior Observatory (SBO), a research group where users can sign up to share their browser history to help with academic research. Data on 249 participants was collected between January 2017 and December 2018.
Of all the users, just 63 had accounts on breached domains that publicly shared a breach during the collection period. Of those 63 users, only 21 went to the breached sites to change their passwords. Further, just 15 of those users did so within three months of the announcement.
Because the SBO data included password data, the CyLab team also analyzed the complexity of new passwords. Researchers found that of the 21 people who changed their passwords, just one third changed it to a stronger one. Others created new passwords that were weaker or of similar strength.
Stronger password practices have arguably become more critical than ever, given the prevalence of data breaches. Researchers place some blame on hacked services that “almost never tell people to reset their similar – or identical – passwords on other accounts.” People are encouraged to take measures like using a password manager to keep track of passwords and avoiding common words and character combinations.
