Cybersecurity: users rarely change their password after being hacked

Cybersecurity: users rarely change their password after being hacked Cybersecurity

Only about one-third of users typically change their password after reporting a data breach, according to a recent study published by academics at the university’s Institute for Security and Privacy (CyLab) Carnegie Mellon. Presented at the beginning of the month during the IEEE 2020 workshop on technology and consumer protection, it was not based on the results of a survey, but on actual browser traffic.

The academics analyzed actual web traffic data, collected using the university’s Security Behavior Observatory (SBO), an opt-in research group where users register and share their full browsing history in a sole purpose of university research.

The data analyzed by the research team included information collected from the personal computers of 249 participants. They were collected between January 2017 and December 2018 and included not only web traffic, but also the passwords used to connect to websites and those stored in the browser.

After analyzing the data, academics found that of the 249 users, only 63 of them had accounts on domains that publicly reported a data breach during the collection interval. Of the 63 users, only 21 (33%) then returned to the site to change their password. Of these 21 users, only 15 of them changed their password within three months of the data breach being announced.

Cybersecurity: users rarely change their password after being hacked

Image: Bhagavatula et al

Unsecured password

In addition, since the OSB data also made it possible to enter password data, the CyLab team was also able to analyze the complexity of the users’ new passwords. The research team said that of the users who changed their password (21), only one-third (9) changed it to a stronger password.

Others have created weaker or similarly strong passwords, usually by reusing character sequences from their previous password, or by using passwords similar to other accounts stored in their browser.

The study shows that users still lack the training to choose unique or better passwords. Researchers say much of the blame also lies with hacked services, which “almost never tell people to reset their similar passwords on other accounts.”

The study, although carried out on a small scale compared to others, nevertheless represents precisely the actual practices and the behavior of users following a data breach. Indeed, it is based on actual navigation and traffic data rather than on responses to a survey, which can sometimes be inaccurate or subjective.

The study is called “(How) Do People Change Their Passwords After a Breach?” (“How do people change their passwords after an intrusion?”) And can be downloaded in PDF format here.



Rate article
Add comment