Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security IT Technology

After a Breach, Users Rarely Change Their Passwords, Study Finds (zdnet.com) 47

Only around a third of users usually change their passwords following a data breach announcement, according to a recent study published by academics from the Carnegie Mellon University's Security and Privacy Institute (CyLab). From a report: The study, presented earlier this month at the IEEE 2020 Workshop on Technology and Consumer Protection, was not based on survey data, but on actual browser traffic. Academics analyzed real-world web traffic collected with the help of the university's Security Behavior Observatory (SBO), an opt-in research group where users sign up and share their full browser history for the sole purpose of academic research. The research team's dataset included information collected from the home computers of 249 participants.

The data was collected between January 2017 and December 2018 and included not only web traffic, passwords used to log into websites and stored inside the browser. Based on their analysis of the data, academics said that of the 249 users, only 63 had accounts on breached domains that publicly announced a data breach during the collection interval. CyLab researchers said that of the 63 users, only 21 (33%) visited the breached sites to change their passwords, and that of these 21, only 15 users changed passwords within three months after the data breach announcement.

This discussion has been archived. No new comments can be posted.

After a Breach, Users Rarely Change Their Passwords, Study Finds

Comments Filter:
  • The vast majority of time your account info gets out, its because some chuckleheaded company got hacked or left the information lying around not because some uberhacker is bruteforcing your personal account. So why are users the one punished by being forced to change passwords multiple times a year and think up these bizarre long alphanumeric string with multiple punctuation marks?
  • In other news... (Score:4, Insightful)

    by DidgetMaster ( 2739009 ) on Monday June 01, 2020 @05:16PM (#60132838) Homepage
    ...only one third of users on said websites, bothered to give their real information anyway so the 'data breach' was for data that the user couldn't care less if it was stolen in the first place.
    • ...only one third of users on said websites, bothered to give their real information anyway so the 'data breach' was for data that the user couldn't care less if it was stolen in the first place.

      Yep, I have one password used on every website I'm not putting anything I care about on. I keep getting told to change the password but couldn't care less.

      • Use a password manager.

        • by sconeu ( 64226 ) on Monday June 01, 2020 @06:25PM (#60133084) Homepage Journal

          You're missing the point. If I'm making a one-time purchase -- I will NEVER go back to that site again -- why the fuck should I have to create an account?

          • Because your data is worth more than the profit from a single transaction. If you're not coming back, they'd better harvest everything they can from you, otherwise there's no point in letting you complete your purchase.
          • If I'm making a one-time purchase -- I will NEVER go back to that site again -- why the fuck should I have to create an account?

            Because they won't let you make the purchase unless you create an account? Some websites won't even let you look at what they have for sale unless you create an account - or at least fill in a form to extract your "marketing profile". I found this with EE (the mob phone company) a few days ago. Fuck them.

        • Focus on security when websites use a SSO provider. Then when there's a breach, the SSO provider can deal with it and reauthenticate via 2FA. Passwords don't mean much in that case.

          Sites that don't use SSO, well... never give them real information anyway. And in those cases, I usually just use Abc12345 and often a mailinator e-mail account.

          Most people don't realize that running a login provider is a very very hard thing to do. It requires constant vigilance and requires far more skills than most companies h
          • by MrL0G1C ( 867445 )

            Password managers make me insanely nervous

            I certainly don't use an online password manager, that's been shown to be a bad idea with one of them compromised already. But if you do you could put partial passwords in for financial related sites including retailers - and then have a small bit which you remember and add to those passwords, random 3-character alpha would be enough 26^3=17576 added to already secure passwords so that if the online password manager is compromised then the hackers would not bother w

          • by MrL0G1C ( 867445 )

            PS, Online password managers have proved to be idiots who can't be trusted with your data. There is no reason why they should store your passwords online in a manner where they can unencrypt them sitting waiting to be compromised.

            If online password managers did the decryption client-side using your master password as the key then their databases could never be compromised. Clearly they can't do this right and as such can't be trusted.

        • When I'm registering to read a news article, on a website that only wants e-mail (an e-mail I use for throwaway crap) and password, why bother? If someone hacks that account I lose no data and for the most part really don't care about losing access to that account.

          • by cusco ( 717999 )

            That's the only thing that I've used Yahoo Mail for in the last decade. I log in twice a year or so and delete everything in the Inbox just so that they don't retire the account.

    • by dissy ( 172727 )

      Alternatively, there is huge bias in the people participating in the study.

      These are people who said "Yes" when asked "Can we monitor your web browsing in real time by installing this software, including logging your history, passwords. and everything else you type? For science!"

  • by backslashdot ( 95548 ) on Monday June 01, 2020 @05:17PM (#60132846)

    My password is easy to remember. It rhymes with assword and starts with P. It's also, like the world's most difficult password, super obvious to the point where you'd never guess it.

    • Is your password Pineappleassword? If not, can I have 2 more guesses?
    • by cusco ( 717999 )

      I still remember an audit that the Pentagon carried out on all of their "secure" systems around 2002. They found the most common password on Admin-level accounts was Password, followed by blank, followed by Password$. That accounted for something like 20% of all supposedly secure servers. I'm sure a group ass-reaming of unprecedented scale followed.

  • by Rick Schumann ( 4662797 ) on Monday June 01, 2020 @05:26PM (#60132888) Journal
    You can change your passwords all you want but if the security of the systems your passwords exist on is crappy to start with, they'll just waltz right back in at some later time and get your password again anyway, and from the literally daily reports of data breaches it seems that anything and everything on the Internet is open season to any and all hackers because apparently all security everywhere is crappy.
    • by MrL0G1C ( 867445 )

      The latest scam Paypal email I got to an email address I use less often had a large part (6digits) of my newest work tel no. So some idiot cunts got compromised recently and they didn't report it. I blame data sharing - mostly illegal in the EU but still rife regardless.

  • Comment removed based on user account deletion
  • It says the researchers relied on opt in data from the browsers on people's home computers. Did they capture all computers? Maybe passwords were changed at work or even more likely on a user's phone.

  • "After head-on collisions, few drivers put on seatbelts until first-responders arrive." Now don't get me wrong - changing a password is important in general. Not all breaches are "lost passwords". Changing my password after someone opens their S3 bucket isn't going to be very helpful either retroactively or in the future, unless what was leaked some analogue of the shadow file (not the most common case.)
  • After a Breach, Users Rarely Change Their Passwords, Study Finds

    I suppose stupid really is as is as stupid does.

  • Since I first registered. I don't care. Why should I?
  • Not true (Score:5, Funny)

    by PPH ( 736903 ) on Monday June 01, 2020 @05:51PM (#60132984)

    My bank has been breached a dozen times. I'm up to 'password13' now.

    • I once worked with a guy who didn't increment the number but rather added to it. It was hillarious watching him log in to his PC every morning 'password1234567890111213'

      At one point his password got so long a system actually foiled him as a security measure it only allowed him 20 seconds to enter his password, and he couldn't type fast enough to log in without timing out.

    • My bank has been breached a dozen times. I'm up to 'password13' now.

      After the yahoo data breaches I changed my password each time they told me to, my updated passwords reflect my opinion on yahoo's security with language that should not be posted on a public website.

  • by eepok ( 545733 ) on Monday June 01, 2020 @06:01PM (#60133008) Homepage

    Are we surprised? They're humans. Very busy humans. With 40 different password-protected systems to access on a regular basis. So you'll say, "Get a password manager" which sounds fine to we nerds, but actually is just another layer of complexity across ALL the systems for the common person.

    • Also keep in mind that the people in this password study are already having their internet activity monitored by college students. They obviously aren't all concerned about their privacy to begin with.

  • Why every single website should require 2FA.
    • That isn't really going to help when you get SIMjacked because you used the same password and PIN to protect your T-Mobile account as you did on Yahoo or LinkedIn or (insert another hacked site here).

  • Comment removed based on user account deletion
  • by Leslie43 ( 1592315 ) on Monday June 01, 2020 @08:08PM (#60133342)
    they need to take it seriously themselves.
    Yahoo waited how long to inform users they were hacked, not once but multiple times before they decided to let users know. Other companies have waited months, and often only when busted by reporters.
    • And "seriously" really means "spending money."

      Most businesses know they have security vulnerabilities, but refuse to spend the money necessary to fix them.

      • by cusco ( 717999 )

        This. Bankers are one of the few groups of people cheaper than lawyers and will **always** go to the lowest bidder for services (well, services that don't affect the executive offices, then money is no object). When I logged into my first online banking account I noticed my account number in the browser address bar (it had a lot of 3s). I changed the number and was in someone else's account with full permissions. I've never done online banking since, especially since Chase got caught with the same brain

  • by nehumanuscrede ( 624750 ) on Monday June 01, 2020 @08:58PM (#60133524)

    Show of hands:

    Who here has ever heard of a " Data Breach Announcement " within a reasonable amount of time after it happens ?

    Two, three, six months later we MIGHT get a mention of it if we're lucky.

  • by k6mfw ( 1182893 ) on Monday June 01, 2020 @11:26PM (#60134048)
    that's why. If the fire alarm constantly goes off every day then most likely ignore it when the real thing comes along. Data breaches happen all the time, must be a slow day when reported in the news.
  • by nukenerd ( 172703 ) on Tuesday June 02, 2020 @03:44AM (#60134650)

    Academics analyzed real-world web traffic collected with the help of [users who] sign up and share their full browser history

    So they researched numpties who were happy to share their entire browing histories. Why would such numpties care about passwords?

    PS : Non-UK users may not get the title.

  • by gillbates ( 106458 ) on Tuesday June 02, 2020 @12:57PM (#60136518) Homepage Journal

    I once tried to change my password at a prominent website and received the following response:

    • PasDupError: password '12345' already in use by user 'Admin' - choose a different password and try again.

    So now I know at least that site won't let ordinary users choose weak passwords. But I can't help but wonder how many other sites check for weak passwords in the first place.

Reality must take precedence over public relations, for Mother Nature cannot be fooled. -- R.P. Feynman

Working...