Researchers from Carnegie Mellon University published a paper about people’s behavior after their passwords were compromised in a data breach, and the results are as bad as you can imagine.
One thing that becomes painfully obvious, especially for cybersecurity companies, is people’s unrivalled complacency when it comes to password management. A robust security solution can be undone by a single user who decides to continue using the one password common to all his active online resources.
The study looked at the effectiveness of password-related breach notifications and practices enforced after a breach. The most significant difference is that this is not a survey, which means that the data should be more valuable and precise. Information from 249 participants was used to check how people changed their password following a data breach.
Out of 249 participants, 63 had accounts on breached domains. Only 33% of the 63 went on to change their passwords, and only 13% did so within three months of the announcement. Furthermore, most of them used similar or even weaker passwords.
Also, 21 of the 63 people affected changed passwords immediately after the breach announcement, but the quality of the new passwords left much to be desired. The same people also had, on average, 30 other passwords that were similar to the breached password.
Over the course of two years, 223 of the 249 participants changed their passwords, and 70% of these password changes resulted in passwords that were weaker or no stronger.
“Even when they changed their password on a breached domain, most participants changed them to weaker or equally strong passwords,” states the study. “And, regardless of whether participants changed their similar passwords within a month of the first change, their new passwords on the breached domains were on average more similar to their remaining passwords,” continues.
The study concludes that password breach notifications are failing dramatically. They don’t seem to prompt people to change passwords in sufficient numbers, and the ones that do choose similar passwords. Regulators should incentivize companies to use multi-factor authentication and to hash and salt passwords to avoid credential-stuffing and rainbow-table attacks on plaintext.