Most users don’t change their passwords – even after a hack! Study reveals

A recent study published by the team from Carnegie Mellon University’s Security and Privacy Institute (CyLab) found that only a third of users change their passwords after a data breach announcement.

The study is based on data taken from actual browser traffic. It was earlier presented at the IEEE 2020 Workshop on Technology and Consumer Protection.

The research team assessed real-world web traffic collected with assistance from the university’s optional program - Security Behavior Observatory. Where, people can sign up and share their full browser history for the purpose of academic research.

The dataset for this specific researched included information from home computers of 249 participants, taken between January 2017 and December 2018. It accounted for web traffic, passwords used to log in to the website, and stored inside the browser.

As per the results, the team said that out of the 249 users, only 63 had accounts on breached domains that publicly announced a data breach during the collection interval. From these 23 users, only 33% or 21 users visited the breached sites to change their passwords – while only 15 changed passwords within three months of the data breach announcement.

The team also analyzed the complexity of the user’s new passwords and said that the users who changed their password (21), only 9 created stronger passwords while the rest were titled as weak and similar to the passwords of their other accounts that were stored inside the browser.

The study concluded that internet users should be enforced with knowledge regarding password safety and tips on choosing a better or unique passwords. Additionally, the researchers criticized the hacked websites who almost never told the users to reset their passwords on other accounts.


Comparatively, the study was small in scale. However, it gave a real-life view of user’s practices when it comes to passwords by actually looking at the browsing data rather than taking generic responses from the participants.

The study is titled ‘How do people change their passwords after a breach’ can be found here in PDF format.


Photo: Gettyimages

Read next: Ransomware Threats Increased By Fourteen Times In Only One Year

No comments:

Post a Comment