Only A Third of Data Breach Victims Change Their Passwords, New Study Finds

Constant worrying and stress do no good for the body, mind, and soul. That being said, some people might be too relaxed about the wrong things. Password security being one of them. Even when passwords are breached, not all people rush to fix the problem. Needless to say, if people do not change passwords after data breaches, their virtual security can be jeopardized, and it can be jeopardized in many different ways by many different malicious parties. To add insult to injury, there are still a lot of people who reuse passwords across platforms, which puts them at even greater risk. Hopefully, by the time you are done reading this report, we will have convinced you that every password must be unique and that changing passwords after data breaches is non-negotiable.

Not all victims of data breaches change passwords

Researchers at the Carnegie Mellon University and Indiana University Bloomington have conducted a study, in which 249 people participated. They reviewed how many of these participants had accounts on 9 different websites (,,,,,,,, and, all of which experienced password-affecting data breaches between 2017 and 2018. 150 million passwords were leaked during the MyFitnessPal data breach in 2018 alone, and Chegg has faced three data breaches within the last three years. Although the services offered by these platforms are trusted and enjoyed by hundreds of millions of people around the world, even reputable service providers cannot always prevent data breaches. Ideally, breaches are discovered right away, and victims are warned about it so that appropriate security measures could be taken. Unfortunately, in some cases, breaches take months or even years to be discovered. And sometimes, service providers do not report breaches in time despite knowing about the incidents.

The study revealed that out of 63 participants who had accounts on the listed websites, only 21 made changes. That means that two thirds of participants did not change passwords at all. The 2017 Yahoo data breach is, by far, the most heavily reported one out of the nine because of the company’s history with major data breaches, and victims were urged to change passwords individually. However, while 49 participants had Yahoo accounts, only 18 of them changed passwords. This is shocking, but this perfectly illustrates how careless people are when it comes to password security. Sure, not all people grasp the concept of what a password truly is. After all, it is just an arbitrary string of random characters. Also, people often assume that nothing bad will happen to them or that cybercriminals will definitely not be interested in their accounts. Neglect, laziness, and lack of knowledge often lead to poor password habits.

People fail to replace breached passwords with strong combinations

Even when people are quick to change passwords after data breaches, they do not always follow the guidelines for creating strong passwords. Carnegie Mellon University and Indiana University Bloomington researches checked the passwords that 21 participants had changed. Only 9 of them managed to create stronger combinations, while 12 kept their passwords at the same level of strength or even made them weaker. 30 of their passwords were very similar to those that were breached and had to be changed. The study also revealed that password reuse was rampant. In total, 3041 password changes had been observed during the study, and 70% of these changes made no difference in password enhancement or even made the passwords weaker.

There are several hypothetical reasons why people are not more mindful when it comes to making changes. First of all, they might not understand how desirable passwords are amongst cybercriminals, and so they might choose passwords of the same strength or weaker ones just because they do not think that anyone would be interested. Second, they also might not understand how easy it is for cybercriminals to breach, guess, and brute-force passwords with new technology. Finally, password fatigue is a real thing, and people often do not know how to change them or what combinations are considered to be strong. That is due to the lack of basic knowledge.

What is a strong password?

We have answered this question in more detail in previous reports, but here are the basic requirements of a strong password:

  • The password MUST be at least 12-14 characters long. The longer the password is, the stronger it is, but it also has to meet other requirements. If a service allows using only a limited number of characters (e.g., six), you ought to use the maximum length.
  • The combination MUST NOT include specific words, names, locations, memorable dates, or characters that appear to hide guessable words (e.g., Pa$$w0rd).
  • The password MUST contain letters (both upper-case and lower-case), numbers, and special characters if that is possible.
  • The password MUST NOT be repeated and recycled. While it might be easy to create one strong password for all accounts, remember that if one account is breached, all others become accessible with the same password too! Using slight modifications of the same password (e.g., Password and Password 123) is not safe either.
  • DO NOT use default passwords. If you purchase new software or hardware, always change the default to a strong combination.

The problem with strong passwords is that they can be difficult to remember, especially if you have ten, twenty, or perhaps even a hundred of passwords for all of your banking, social networking, shopping, work, bill payment, email, and other accounts. If you have a super brain that is able to remember complex combinations with ease, you are fine. However, if you are a mere mortal like most of us, you might need help managing all of the complex passwords that you create. This is where a trusted password manager comes in handy. Cyclonis Password Manager is very easy to use, it can generate passwords for you, it can help you change passwords after data breaches, it can make logging in easier, and it also can add valuable protection. If this is the last step towards full password security, do not hesitate to give the free 30-day trial a go.

September 1, 2020

Leave a Reply