Two-Thirds of Users Don't Change Their Passwords Even After a Data Breach

Users are often rather vocal about their displeasure in the aftermath of a data breach, and you could argue that this is completely understandable. After all, by signing up for a service, you are entrusting the provider with your data, and when it's not protected as well as it should be, you have every right to be upset. It turns out, however, that while many people are ready to take to social media in order to express their anger against the company that suffered a breach, not all of them are willing to take simple steps to protect themselves.

Only a third of users affected by data breaches change their passwords

There are more than a few ways of storing people's passwords, and in the aftermath of a security incident, it's very important to learn what password storage method the breached provider has used. If the credentials are stored correctly (i.e., hashed and salted with a robust hashing algorithm), then the hackers that steal them will have a hard time using them to compromise people's accounts. If, on the other hand, they are saved in plaintext, the risks are much higher.

Whatever the case, users are always advised to change their passwords out of an abundance of caution. A study by researchers from Carnegie Melon University shows, however, that most people simply don't bother.

Two hundred forty-nine people agreed to take part in the survey, which showed that only one in three users of a breached service is willing to change their password after they learn about the incident. The participants had special software on their home computers that recorded their browsing history and the strings they input in websites' HTML fields for the period between January 2017 and December 2018. Sixty-three users had accounts at the websites and applications involved in the nine biggest data breaches announced during that period, and only 21 of them changed their passwords after they were made aware of the incident.

It must be said that this is a relatively small subset of users, and drawing general conclusions based on this data alone is probably not the best idea. The numbers are worrying, however, especially when you see how people act when they decide to change their password.

People still can’t create strong, unique passwords for their accounts

Even those that did change their compromised passwords weren't in too much of a hurry to do it. Of the 21 users, only 15 swapped their passwords within three months of the data breach announcement. This is far from the only problem.

As you might have guessed, the survey highlighted the problem of password reuse for the umpteenth time. The researchers estimated that the 21 users who changed their passwords on the breached domain had an average of 30 accounts with similar passwords. Only 14 people decided to protect some of them as well, and on average, they changed just four additional passwords. What's more, the new passwords weren't really new. Very nearly 70% of the newly assigned passwords were as strong as or weaker than the original ones, and most of them were derived from the old ones.

Who is to blame?

It's pretty clear that the situation is not exactly ideal. People don't understand the risks associated with compromised passwords. Apparently, they don't know how dangerous credential stuffing attacks could be, either, and they seem to find nothing wrong with using the same passwords for dozens of different accounts.

It would be easy to blame the users in the same way they blame the service providers whenever a data breach happens, but the truth is, people just aren't educated enough to know how much risk they put themselves at with their continuous use of compromised or weak passwords. Service providers must let users know what they're dealing with, and when a breach does happen, they need to be as transparent as possible about the potential consequences.

Many people reckon that the only way of solving the password problem would be to deal away with it altogether and to find a new authentication mechanism to replace it, but it's clear that we're still a long way away from achieving this. For all its disadvantages, for now, we're stuck with the password, and we must find a way of using it to the best of our advantage.