People rarely change their password after a data breach, study says

Just one-third of users took action following breach announcements, according to new research from Carnegie Mellon University.

Abrar Al-Heeti Technology Reporter
Abrar Al-Heeti is a technology reporter for CNET, with an interest in phones, streaming, internet trends, entertainment, pop culture and digital accessibility. She's also worked for CNET's video, culture and news teams. She graduated with bachelor's and master's degrees in journalism from the University of Illinois at Urbana-Champaign. Though Illinois is home, she now loves San Francisco -- steep inclines and all.
Expertise Abrar has spent her career at CNET analyzing tech trends while also writing news, reviews and commentaries across mobile, streaming and online culture. Credentials
  • Named a Tech Media Trailblazer by the Consumer Technology Association in 2019, a winner of SPJ NorCal's Excellence in Journalism Awards in 2022 and has three times been a finalist in the LA Press Club's National Arts & Entertainment Journalism Awards.
Abrar Al-Heeti

Changed your password lately?

Angela Lang/CNET

Most people don't take changing a password too seriously following a data breach, says a recent study. Just about a third of users typically change their password after an announcement about a breach, according to a study presented earlier this month by Carnegie Mellon University's Security and Privacy Institute (CyLab). 

Researchers analyzed web traffic gathered through the university's Security Behavior Observatory (SBO), a group where users can sign up to share their browser history to help with academic inquiries. Data on 249 participants was collected between January 2017 and December 2018. 

Of the users, 63 had accounts on breached domains that publicly shared a breach during the collection period. Of those 63 users, 21 went to the breached sites to change their password. Further, just 15 of those users did so within three months of the announcement. 

Because the SBO data included password information, the CyLab team also analyzed the complexity of new passwords. Researchers found that of the 21 people who changed their password, only a third changed it to a stronger one. Others created a new password that was weaker or of similar strength. 

Stronger password practices have arguably become more critical than ever, given the prevalence of data breaches. Researchers place some blame on hacked services that "almost never tell people to reset their similar -- or identical -- passwords on other accounts." People are encouraged to take measures like using a password manager to keep track of passwords and avoiding common words and character combinations.