Only a Third of Users Change Their Passwords After a Breach

According to a study by researchers from the CyLab laboratory at Carnegie Mellon University, only about a third of users change their passwords after being notified of a security breach. The results were presented in May at the IEEE 2020 Workshop on Technology and Consumer Protection and were based not on user surveys, but on actual browser traffic data.

The researchers analyzed web traffic collected through the university’s Security Behavior Observatory (SBO) project, where participants register and share their complete browsing history to support academic research. The dataset included information gathered from the home computers of 249 participants between January 2017 and December 2018.

Out of the 249 users, only 63 had accounts on breached domains that notified them of the incident. Of those 63 users, just 21 (33%) visited the compromised sites with the intention of changing their passwords. Among these 21, only 15 users actually changed their passwords within three months of being notified about the breach.

In total, 23 passwords were changed. Two participants changed their passwords twice—once after each breach notification. Two users changed their passwords on the breached domain within one month of the announcement, five within two months, and eight within three months.

Because the SBO data also included password information, the CyLab team was able to analyze the strength of the new passwords. According to the experts, among the 21 users who changed their passwords, only a third (9) chose stronger passwords. The rest created weaker or similarly strong passwords, often by reusing character sequences from their previous passwords or by using similar passwords from other accounts.

• Source
• Our other channels
• Our friends and partners