A new study was published by researchers from the Carnegie Mellon University's Security and Privacy Institute and was presented at the 2020 IEEE Workshop on Technology and Consumer Protection.
The study has grim news for IT Security Professionals.
The key finding in the report is that only about one third of users will change their passwords after a company announces a data breach. This information was based not on survey responses, but on browser histories collected from the 249 participants who volunteered to open up their browser history for the purpose of the research.
The browser history data was collected between January 2017 and December 2018 and included both a complete map of all of the websites each participant visited during that time, and the passwords used by each user to access sites that required a login.
Over the course of the study, only 63 participants had accounts on breached domains during the data collection period, and of those, only 21 (33 percent) changed their passwords. Worse, 6 of the 21 took longer than 3 months to do so.
If that wasn't disheartening enough, most of the changed passwords were highly similar to the old password used. They were similar enough that simple brute-force techniques would be successful in giving a hacker access to the accounts in question, even after the password change.
It should be noted that this study was quite small in scale and limited in scope, so additional studies should be conducted to see if the trend holds up over time. However, it does provide a valuable, and worrisome data point that should give IT Professionals pause.
Education is the best way to combat this, but few companies spend the time and resources necessary to truly impart the seriousness of the consequences of a data breach. In addition, the message simply isn't getting through. That's unfortunate, and it could have tragic consequences, both at the personal and Enterprise level.