Researchers from Carnegie Mellon University published a
paper about people’s behavior after their passwords were compromised in a data
breach, and the results are as bad as you can imagine.
One thing that becomes painfully obvious, especially for
cybersecurity companies, is people’s unrivalled complacency when it comes to
password management. A robust security solution can be undone by a single user who
decides to continue using the one password common to all his active online
The study looked at the effectiveness of password-related
breach notifications and practices enforced after a breach. The most
significant difference is that this is not a survey, which means that the data
should be more valuable and precise. Information from 249 participants was used
to check how people changed their password following a data breach.
Out of 249 participants, 63 had accounts on breached
domains. Only 33% of the 63 went on to change their passwords, and only 13% did
so within three months of the announcement. Furthermore, most of them used
similar or even weaker passwords.
Also, 21 of the 63 people affected changed passwords
immediately after the breach announcement, but the quality of the new passwords
left much to be desired. The same people also had, on average, 30 other
passwords that were similar to the breached password.
Over the course of two years, 223 of the 249 participants
changed their passwords, and 70% of these password changes resulted in passwords
that were weaker or no stronger.
“Even when they changed their password on a breached
domain, most participants changed them to weaker or equally strong
passwords,” states the study.
“And, regardless of whether participants changed their similar passwords
within a month of the first change, their new passwords on the breached domains
were on average more similar to their remaining passwords,” continues.
The study concludes that password breach notifications
are failing dramatically. They don’t seem to prompt people to change passwords
in sufficient numbers, and the ones that do choose similar passwords.
Regulators should incentivize companies to use multi-factor authentication and
to hash and salt passwords to avoid credential-stuffing and rainbow-table
attacks on plaintext.