Most people don't change passwords after data breaches -- here's why you should

Passwords written on colored Post-It notes and stuck to a laptop screen.
(Image credit: designer491/Shutterstock)

Just one in three people change their passwords after being made aware of a data breach, according to new research.

The study, conducted by researchers at Carnegie Mellon University's Security and Privacy Institute and Indiana University Bloomington, investigated the security habits and browser traffic of 249 participants between January 2017 and December 2018.

Out of the 249 participants who took part in the study, only 63 had accounts on one or more of the nine domains with data breaches that the researchers studied. 

This included the massive Yahoo data breach that was announced in three stages, in December 2016 (outside the scope of the study), February 2017 and October 2017. Overall, 3 billion account usernames and passwords -- possibly representing all Yahoo accounts -- were compromised. 

Of those potentially affected participants, a mere 21 changed their password after a breach announcement was issued.

The majority of these users had Yahoo accounts, 31 of whom did not change their passwords following such threats of identity theft.

According to the study: “Two participants changed their Yahoo! passwords twice, once after each breach announcement. Two participants changed their password on the breached domain within one month of the breach announcement, a total of five within two months, and eight within three months.”

The research also looked at the quality of new passwords, discovering that only nine of the 21 people who changed their passwords opted for stronger passwords. Meanwhile, 12 created weaker or equal-strength passwords.

In terms of password strength, the research claims:  “On average, participants created new passwords that were 1.3× stronger than their old passwords after transforming strength on the log10 scale.”

Creating secure passwords is easy

The research is perhaps most surprising considering that creating super-secure passwords isn't hard to do.

Adding special characters, numbers, and a mix of upper and lower case letters is a good place to start. Avoiding easily crackable words or phrases is also highly recommended.

Of course, that then presents the problem of remembering them all. We do, after all, have such a litany of passwords for multiple bank accounts, online shopping, social media and pretty much everything else online these days.

That's where grabbing one of the best password managers becomes a useful piece of kit. They'll help you create, store and access a multitude of secure passwords that you can locate at the click of a button.

  • Read more: Stay protected online for less with the best cheap VPN
TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Password Managers
The Apple Passwords app open on an iPhone in hand
Apple Passwords password manager review
A phone in hand showing the LastPass logo
Millions stolen from LastPass users in massive attack — what you need to know
Proton Pass
Proton Pass password manager review
A phone and tablet sharing passwords using Google Password Manager
Google just made a huge step in killing off passwords for good
Keeper password manager shown on laptop and smartphone
Hurry! Save 50% on this top-rated password manager
Keeper password manager shown on laptop and smartphone
Hurry! One of our top password managers is 50% off right now
Latest in News
Samsung Galaxy S25 Edge back
Samsung Galaxy S25 Edge price comes into focus with latest leak
iPhone 15 Pro Max shown in hand
Apple just released emergency security update for flaw used in ‘extremely sophisticated’ attacks — update your iPhone, iPad and Mac right now
NYTimes Connections
NYT Connections today hints and answers — Wednesday, March 12 (#640)
Jean Smart as Deborah Vance and Hannah Einbinder as Ava Daniels in Hacks
Max reveals 'Hacks' season 4 release date and trailer — here's when it's coming
Google Pixel 5 review
Google Pixel 10 lineup leaked in new renderings — here's what they look like
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware