Two-thirds of people did not change their passwords following the notice of a data breach, according to new research from Carnegie Mellon University.
Of the participants who did change their password on a breached domain, most changed them to weaker or equally strong passwords, with only 13% changing their password within three months.
Participants averaged 30 passwords similar to their password on the breached domain. Still, on average, they changed only four of these passwords within a month after changing their password from the breached domain.
“Overall, our findings suggest that password breach notifications are failing dramatically,” the researchers concluded. Most users do not take any action, and those who do are not taking “constructive action.”
Researchers concluded that breached companies need to do more to encourage password changes, even advocating for more regulatory requirements.
“Regulators should also require that companies force password resets after a breach and provide actionable instructions on how to create “strong” passwords,” the paper stated.
If breached passwords overlap with other accounts, they expose individuals to credential stuffing cyber attacks. Statistics show that roughly 1 in 100 breached credentials will result in a successful login.
Password managers, including those built into internet browsers, help, but more active actions could be taken, according to the study.
The researchers followed the security practices of 249 individuals, focusing on nine data breaches, to determine how consumers tend to respond to news of a compromised account. One of the breaches studied was the massive Yahoo hack of three billion accounts.
Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.