Skip to main content

Only 33 Percent Of People Change Password After Data Breach

By June 13, 2020May 5th, 2022Cybersecurity

A new study was published by researchers from the Carnegie Mellon University’s Security and Privacy Institute and was presented at the 2020 IEEE Workshop on Technology and Consumer Protection.

The study has grim news for IT Security Professionals.

The key finding in the report is that only about one third of users will change their passwords after a company announces a data breach. This information was based not on survey responses, but on browser histories collected from the 249 participants who volunteered to open up their browser history for the purpose of the research.

The browser history data was collected between January 2017 and December 2018 and included both a complete map of all of the websites each participant visited during that time, and the passwords used by each user to access sites that required a login.

Over the course of the study, only 63 participants had accounts on breached domains during the data collection period, and of those, only 21 (33 percent) changed their passwords. Worse, 6 of the 21 took longer than 3 months to do so.

If that wasn’t disheartening enough, most of the changed passwords were highly similar to the old password used. They were similar enough that simple brute-force techniques would be successful in giving a hacker access to the accounts in question, even after the password change.

It should be noted that this study was quite small in scale and limited in scope, so additional studies should be conducted to see if the trend holds up over time. However, it does provide a valuable, and worrisome data point that should give IT Professionals pause.

Education is the best way to combat this, but few companies spend the time and resources necessary to truly impart the seriousness of the consequences of a data breach. In addition, the message simply isn’t getting through. That’s unfortunate, and it could have tragic consequences, both at the personal and Enterprise level.

Chris Forte

Chris Forte, President and CEO of Olmec Systems, has been in the MSP workspace for the past 25 years. Chris earned his Master’s Degree from West Virginia University, graduating Magna Cum Laude. He was a past member of the Entrepreneurs’ Organization, a current member of the New Jersey Power Partners and Executive Association of New Jersey, where he has previously served on its board of directors. In his spare time, Chris enjoys traveling with his family. He also admits to being a struggling golfer and avid watcher of college football and basketball. He currently lives in Boonton Township, NJ with his wife, two daughters, son, and black lab Luna.