Security News > 2020 > June > Password Changing After a Breach

Password Changing After a Breach
2020-06-01 11:08

This study shows that most people don't change their passwords after a breach, and if they do they change it to a weaker password.

Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts.

To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine­ - based on real-world password data from 249 participants­ - whether and how constructively participants changed their passwords after a breach announcement.

New passwords were on average 1.3× stronger than old passwords, though most were weaker or of equal strength.

Concerningly, new passwords were overall more similar to participants' other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain.


News URL

https://www.schneier.com/blog/archives/2020/06/password_changi.html