Study: Breach Victims Rarely Change PasswordsResearchers Call on Breached Companies to Revamp Notification
Even after being notified that their personal data has been compromised in a breach, only about a third of users change their passwords - and most of these are not strong or unique, according to a study by researchers at Carnegie Mellon University.
Based on these findings, the researchers recommend that organizations revamp their breach notifications to include more information on effective password resets. They also recommend that companies hash and salt their passwords to avoid credential-stuffing and rainbow-table attacks that target plaintext passwords.
In addition, the researchers say that government regulators should make password reset requests mandatory for all companies that sustain a data breach and create incentives for two-factor authentication, the report notes.
Trouble With Passwords
The study, which was presented at the recent IEEE 2020 Workshop on Technology and Consumer Protection, was conducted by a trio of security researchers at the university's Security and Privacy Institute who studied the efficiency of password-related breach notifications.
The researchers tracked the online and web browser activities of 249 users who volunteered to participate. Those included some who were victims of major data breaches that happened between January 2017 and December 2018, including breaches affecting Yahoo, Disqus, MyFitnessPal, Deloitte and others. The researchers also looked at compromised domains listed in the breach-notification service HaveIBeenPawned and elsewhere.
The researchers then cross-referenced this data against other information collected by the school's Security Behavior Observatory.
The study revealed that of the 249 voluntary participants that the researchers tracked, 63 were affected by a breach, according to the researchers.
Among these victims, only 21 changed their password after a breach announcement. Digging further down, the researchers found that 15 breach victims changed their password within three months of the breach announcement. In most of these cases, the victims who changed their passwords were affected by high-risk breaches, such as the 2017 Yahoo breach, the study notes.
Although these victims changed their password on the compromised domain, the researchers note that these users still had, on average, 30 other accounts with similar passwords.
"Of the 21 participants who changed passwords, 14 changed at least one similar password within a month of changing their password on the breached domain. These 14 changed, on average, only four similar passwords within that month," the report notes.
Studying the quality of the password changes made within the two-year time span that the researchers investigated, the study found that nearly 70% of users resorted to passwords that were either weak or equal strength to the password being replaced.
Time to Ditch Passwords?
Two organizations are working toward minimizing the need for passwords. OpenID is developing open standards as well as a decentralized authentication protocol that would eliminate the need for separate passwords for multiple sites. The FIDO Alliance is developing standards to strengthen interoperability between authentication services.
Meanwhile, some security firms, including Beyond Identity, are attempting to create new identity platforms that could support the effort to eliminate passwords (see: Tom Jermoluk on 'The End of Passwords').