Large-scale password breaches are a common occurrence. To protect their users’ accounts and data after these breaches, companies often attempt to convince their users to change their passwords on the affected sites. In this article, through our unique infrastructure that monitored the security behaviors of 249 participants over almost two years, we report on the extent to which people change their passwords after breaches. We also analyze the strength and quality of their new passwords. In particular, we examined the real-world passwords chosen by participants with accounts on one of nine breached domains. Our results show that users typically did not change their passwords after a breach, and when they did, the new and old passwords were similar enough that an attacker could easily guess their new password [4]. Additionally, users continued to use their old stolen passwords across other online accounts, making those accounts also vulnerable. Our findings suggest that it is difficult to ensure users’ accounts are safe in the wake of breaches if users themselves are the ones responsible for changing their passwords. For example, sites could require password resets and multi-factor authentication. These findings highlight the need for designing systems that keep users safe without putting the onus on them to take correct remedial action.
Last updated February 8, 2023
Authors:
Sruti Bhagavatula recently completed her PhD from Carnegie Mellon University and is currently an Assistant Professor of Instruction at Northwestern University. Her research focuses on the dissemination of security and privacy information online and measuring security behavior. She received her MS from Carnegie Mellon University and her BS from the University of Illinois Chicago.
Lujo Bauer is a Professor of Electrical and Computer Engineering, and of Computer Science, at Carnegie Mellon University. He is also affiliated with CyLab, Carnegie Mellon's computer security and privacy institute. His research examines many aspects of computer security and privacy, and has recently focused on developing tools and guidance to help users stay safer online and on studying how advances in machine learning can (or might not) lead to a more secure future. He served as the program chair for the flagship computer security conferences of the IEEE (S&P 2015) and the Internet Society (NDSS 2014) and, with colleagues, received the IEEE Cybersecurity Award for Practice in 2018.
Apu Kapadia is a Professor of Computer Science at the Luddy School of Informatics, Computing, and Engineering, Indiana University Bloomington. His recent research has focused on the human and technical dimensions of computer security and privacy. Grounded in an understanding of people's needs and behaviors he hopes to build systems that are more usably secure. For his research, he has received several NSF grants, including an NSF CAREER award in 2013, and two Google Research Awards in 2014 and 2020. He was also a recipient of the Dr. James E. Mumford Excellence in Extraordinary Teaching Award in 2021, and the Distinguished Alumni Educator Award from the Department of Computer Science at the University of Illinois at Urbana-Champaign in 2015.