According to a new report conducted by academics at Carnegie Mellon University’s Security and Privacy Institute (CyLab), only about a third of users typically change their passwords after a data breach notification.
The report, which was presented at the IEEE 2020 Workshop on Technology and Consumer Protection earlier this month, was not based on survey data but on real user traffic.
Academics analyzed real-world web traffic collected with the help of the university’s Security Behavior Observatory (SBO), an opt-in research group in which users sign up and share their entire browser history for academic research purposes only.
The dataset for the study team contained knowledge collected from 249 participants’ home computers. Between January 2017 and December 2018, the data was collected and not only included web traffic, passwords used to log in to websites and stored inside the browser.
Academics said that of the 249 users, based on their review of the data, only 63 had accounts on infringed domains that publicly declared a data breach during the collection period.
CyLab researchers said only 21 (33 per cent) of the 63 users visited the broken sites to change their passwords, and that of those 21, only 15 users changed their passwords within three months of the announcement of the data breach.
> > > > In particular, 23 passwords on such domains have been updated. Of the 21 participants, 18 were Yahoo! users; the remaining 31 Yahoo! users (out of 49) did not change their passwords and according to the breach announcement all were affected by the hack. Two participants modified their Yahoo! passwords twice, once after every breach announcement. Within one month of the breach announcement, two participants changed their password on the infringed domain, a total of five within two months and eight within three months.
Many users who changed passwords chose a poor one
In addition, since the SBO data also captured password data, the CyLab team was able to analyze the complexity of new passwords for the users.
The research team said that only a third (9) of the users who changed passwords (21) changed it to a stronger password, based on the strength transformed by the log10 password.
The remainder created weaker or equivalent strength passwords, usually by reusing sequences of characters from their previous password, or by using passwords identical to other accounts stored within their browser.
The study shows users also lack the experience they need to select better or special passwords. Researchers argue that much of the blame still lies with the compromised systems that “almost never tell users to reset their similar-or identical-passwords on other accounts.”
However, although the study is limited in scope relative to others, it is more reliable to reflect real-world user behaviors when it comes to user actions after a data breach, as it is focused on actual browsing data and traffic rather than survey responses that could be unreliable or subjective at times.
The study is titled “(How) Do People Change Their Passwords After A Breach?,” and can be downloaded from here in PDF format.