Large-scale password breaches are a common occurrence. To protect their users’ accounts and data after these breaches, companies often attempt to convince their users to change their passwords on the affected sites. In this article, through our unique infrastructure that monitored the security behaviors of 249 participants over almost two years, we report on the extent to which people change their passwords after breaches. We also analyze the strength and quality of their new passwords. In particular, we examined the real-world passwords chosen by participants with accounts on one of nine breached domains. Our results show that users typically did not change their passwords after a breach, and when they did, the new and old passwords were similar enough that an attacker could easily guess their new password [4]. Additionally, users continued to use their old stolen passwords across other online accounts, making those accounts also vulnerable. Our findings suggest that it is difficult to ensure users’ accounts are safe in the wake of breaches if users themselves are the ones responsible for changing their passwords. For example, sites could require password resets and multi-factor authentication. These findings highlight the need for designing systems that keep users safe without putting the onus on them to take correct remedial action.
USENIX supports diversity, equity, and inclusion and condemns hate and discrimination.