Most people don't change passwords after data breaches -- here's why you should

Passwords written on colored Post-It notes and stuck to a laptop screen.
(Image credit: designer491/Shutterstock)

Just one in three people change their passwords after being made aware of a data breach, according to new research.

The study, conducted by researchers at Carnegie Mellon University's Security and Privacy Institute and Indiana University Bloomington, investigated the security habits and browser traffic of 249 participants between January 2017 and December 2018.

Out of the 249 participants who took part in the study, only 63 had accounts on one or more of the nine domains with data breaches that the researchers studied. 

This included the massive Yahoo data breach that was announced in three stages, in December 2016 (outside the scope of the study), February 2017 and October 2017. Overall, 3 billion account usernames and passwords -- possibly representing all Yahoo accounts -- were compromised. 

Of those potentially affected participants, a mere 21 changed their password after a breach announcement was issued.

The majority of these users had Yahoo accounts, 31 of whom did not change their passwords following such threats of identity theft.

According to the study: “Two participants changed their Yahoo! passwords twice, once after each breach announcement. Two participants changed their password on the breached domain within one month of the breach announcement, a total of five within two months, and eight within three months.”

The research also looked at the quality of new passwords, discovering that only nine of the 21 people who changed their passwords opted for stronger passwords. Meanwhile, 12 created weaker or equal-strength passwords.

In terms of password strength, the research claims:  “On average, participants created new passwords that were 1.3× stronger than their old passwords after transforming strength on the log10 scale.”

Creating secure passwords is easy

The research is perhaps most surprising considering that creating super-secure passwords isn't hard to do.

Adding special characters, numbers, and a mix of upper and lower case letters is a good place to start. Avoiding easily crackable words or phrases is also highly recommended.

Of course, that then presents the problem of remembering them all. We do, after all, have such a litany of passwords for multiple bank accounts, online shopping, social media and pretty much everything else online these days.

That's where grabbing one of the best password managers becomes a useful piece of kit. They'll help you create, store and access a multitude of secure passwords that you can locate at the click of a button.

  • Read more: Stay protected online for less with the best cheap VPN
TOPICS

Nicholas Fearn is a freelance technology journalist and copywriter from the Welsh valleys. His work has appeared in publications such as the FT, the Independent, the Daily Telegraph, The Next Web, T3, Android Central, Computer Weekly, and many others. He also happens to be a diehard Mariah Carey fan!

Latest in Password Managers
The Apple Passwords app open on an iPhone in hand
Apple Passwords password manager review
A phone in hand showing the LastPass logo
Millions stolen from LastPass users in massive attack — what you need to know
Proton Pass
Proton Pass password manager review
A phone and tablet sharing passwords using Google Password Manager
Google just made a huge step in killing off passwords for good
Keeper password manager shown on laptop and smartphone
Hurry! Save 50% on this top-rated password manager
Keeper password manager shown on laptop and smartphone
Hurry! One of our top password managers is 50% off right now
Latest in News
Rendered images of rumored foldable iPhone.
Foldable iPhone report just revealed key details — here's what we know
Nintendo Switch 2
Nintendo Switch 2 rumored specs — here’s what we know so far
iPhone 17 Pro render
iPhone 17 Pro — 7 biggest rumored upgrades
CAD renderings of the Google Pixel 10 Pro XL
Pixel 10 leak could be good news for all Android phones
A magnifying glass on top of the Steam logo in a web browser
Valve just pulled a malicious game demo spreading info-stealing malware from Steam
Lewis Hamilton of Great Britain and Scuderia Ferrari looks on during Sprint Qualifying ahead of the F1 Grand Prix of China at Shanghai International Circuit in Shanghai, China, on March 21, 2025. (Photo by Song Haiyuan/Paddocker/NurPhoto via Getty Images)
How to watch Chinese Grand Prix 2025 online – stream F1 without cable, qualifying highlights