When accounts and passwords are compromised in a breach, those users who are notified or become aware of this should hastily change their passwords. Along with changing the passwords on the accounts that were known to be compromised, they should also change any similar passwords on other accounts that they may have. Ideally, this behavior should be highly encouraged by the affected companies in order to further mitigate harm from the breach. A recent study published by academics from the Carnegie Mellon University’s Security and Privacy Institute (CyLab) examined real-world password data post breaches from 249 participants to study the effectiveness of breach notifications, and just how often users changed their passwords after these announcements. Of those 249 participants that were surveyed, 63 of them had accounts on breached domains, with only 33% of those 63 changing their passwords. Even more troubling, the 33% that did change their passwords, only 13% of the 63 had changed their passwords within 3 months of the notification.
Further study found that while on average, the new password was 1.3 times stronger than the old passwords, most were weaker, or of equal strength. As well, the new passwords were overall more like participants’ other passwords, and participants very rarely changed passwords on other sites even when these were the same or like the password on the breached domain. When a company has it accounts compromised from a breach, rarely are the users affected solely on the compromised domain. Previously, some studies have been done that had shown, on average, a user exactly or partially reuses their passwords on over 50% of their accounts. In these cases, when a user has their password compromised on a single domain, they have a much higher risk that an attacker will be able to use that password to gain access to other accounts using the similar password.
Additional work (prior to the Carnegie Mellon study) explored those problems related to data breached and password changes, and the factors that contributed to those affected such as their understanding of the breach and their inclination to change their passwords post one. One of the more interesting finds was participants believing that the password they had was “invulnerable” or much too complicated for attackers to use. While other factors included who they received the notification from, observing that some individuals were more likely to advice based on who that advice was given by. As well, some of the notifications to users often would underestimate the potential harm they could incur as a result of the breach. The team at Carnegie Mellon ultimately determined that the need for more rigorous password changing requirements following a breach, and more effective breach notifications could help to deliver better results for your company and its users.
Carnegie Mellon Study: