After a breach, users rarely change their passwords, study finds

Only a third of users changed their password following a data breach.

fbi-recommends-passphrases-over-password-5e5527a8db1d010001ad4e75-1-feb-26-2020-15-01-01-poster.jpg

Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University's Security and Privacy Institute (CyLab).

The study, presented earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, was not based on survey data, but on actual browser traffic.

Academics analyzed real-world web traffic collected with the help of the university's Security Behavior Observatory (SBO), an opt-in research group where users sign up and share their full browser history for the sole purpose of academic research.

The research team's dataset included information collected from the home computers of 249 participants. The data was collected between January 2017 and December 2018 and included not only web traffic, passwords used to log into websites and stored inside the browser.

Based on their analysis of the data, academics said that of the 249 users, only 63 had accounts on breached domains that publicly announced a data breach during the collection interval.

CyLab researchers said that of the 63 users, only 21 (33%) visited the breached sites to change their passwords, and that of these 21, only 15 users changed passwords within three months after the data breach announcement.

>>>>>In total, 23 passwords were changed on these domains. Of the 21 participants, 18 were Yahoo! users; the remaining 31 Yahoo! users (out of 49) did not change their passwords although all were affected by the breach according to the breach announcement. Two participants changed their Yahoo! passwords twice, once after each breach announcement. Two participants changed their password on the breached domain within one month of the breach announcement, a total of five within two months, and eight within three months.

changed-password.png

Image: Bhagavatula et al.

Most users who changed passwords chose a weak one

Furthermore, since the SBO data also captured password data, the CyLab team was also able to analyze the complexity of the users' new passwords.

The research team said that of the users who changed passwords (21), only a third (9) changed it to a stronger password, based on the password's log10-transformed strength.

The rest created passwords of weaker or similar strength, usually by reusing character sequences from their previous password, or by using passwords that were similar to other accounts that were stored inside their browser.

The study shows that users still lack the education needed in choosing better or unique passwords. Researchers argue that a lot of the blame also resides with the hacked services, which "almost never tell people to reset their similar - or identical - passwords on other accounts."

The study, while small in scale compared to others, is, however, more accurate in representing real-world user practices when it comes to user behavior following a data breach, as it's based on actual browsing data and traffic rather than survey responses that may sometimes be inaccurate or subjective.

The study is named "(How) Do People Change Their Passwords After a Breach?," and is available for download in PDF format from here.