People rarely change their password after a data breach, study says
Just one-third of users took action following breach announcements, according to new research from Carnegie Mellon University.
Most people don't take changing a password too seriously following a data breach, says a recent study. Just about a third of users typically change their password after an announcement about a breach, according to a study presented earlier this month by Carnegie Mellon University's Security and Privacy Institute (CyLab).
Researchers analyzed web traffic gathered through the university's Security Behavior Observatory (SBO), a group where users can sign up to share their browser history to help with academic inquiries. Data on 249 participants was collected between January 2017 and December 2018.
Of the users, 63 had accounts on breached domains that publicly shared a breach during the collection period. Of those 63 users, 21 went to the breached sites to change their password. Further, just 15 of those users did so within three months of the announcement.
Because the SBO data included password information, the CyLab team also analyzed the complexity of new passwords. Researchers found that of the 21 people who changed their password, only a third changed it to a stronger one. Others created a new password that was weaker or of similar strength.
Stronger password practices have arguably become more critical than ever, given the prevalence of data breaches. Researchers place some blame on hacked services that "almost never tell people to reset their similar -- or identical -- passwords on other accounts." People are encouraged to take measures like using a password manager to keep track of passwords and avoiding common words and character combinations.