Skip to main content

Most people don't change passwords after data breaches -- here's why you should

Passwords written on colored Post-It notes and stuck to a laptop screen.
(Image credit: designer491/Shutterstock)

Just one in three people change their passwords after being made aware of a data breach, according to new research.

The study, conducted by researchers at Carnegie Mellon University's Security and Privacy Institute and Indiana University Bloomington, investigated the security habits and browser traffic of 249 participants between January 2017 and December 2018.

Out of the 249 participants who took part in the study, only 63 had accounts on one or more of the nine domains with data breaches that the researchers studied. 

This included the massive Yahoo data breach that was announced in three stages, in December 2016 (outside the scope of the study), February 2017 and October 2017. Overall, 3 billion account usernames and passwords -- possibly representing all Yahoo accounts -- were compromised. 

Of those potentially affected participants, a mere 21 changed their password after a breach announcement was issued.

The majority of these users had Yahoo accounts, 31 of whom did not change their passwords following such threats of identity theft.

According to the study: “Two participants changed their Yahoo! passwords twice, once after each breach announcement. Two participants changed their password on the breached domain within one month of the breach announcement, a total of five within two months, and eight within three months.”

The research also looked at the quality of new passwords, discovering that only nine of the 21 people who changed their passwords opted for stronger passwords. Meanwhile, 12 created weaker or equal-strength passwords.

In terms of password strength, the research claims:  “On average, participants created new passwords that were 1.3× stronger than their old passwords after transforming strength on the log10 scale.”

Creating secure passwords is easy

The research is perhaps most surprising considering that creating super-secure passwords isn't hard to do.

Adding special characters, numbers, and a mix of upper and lower case letters is a good place to start. Avoiding easily crackable words or phrases is also highly recommended.

Of course, that then presents the problem of remembering them all. We do, after all, have such a litany of passwords for multiple bank accounts, online shopping, social media and pretty much everything else online these days.

That's where grabbing one of the best password managers becomes a useful piece of kit. They'll help you create, store and access a multitude of secure passwords that you can locate at the click of a button.

  • Read more: Stay protected online for less with the best cheap VPN