After big security breaches, users rarely change their password, which is a big mistake, a new study says.
The research from Carnegie Mellon University’s CyLab said only one in three people who had accounts on breached websites changed their passwords. And only 13 percent of people with accounts on these websites changed their password within three months of the breach announcement.
That’s surprising, says the study, especially in the wake of a steady stream of news of major businesses and websites getting hacked and sensitive user information getting pilfered.
“Many may find these findings alarming, given the ubiquity and growing number of corporate data breaches in recent years,” wrote Carnegie Mellon’s Daniel Tkacik in a blog post about the study.
Major breaches include the “Collection #1” data breach in January of 2019 that impacted more than 770 million unique email addresses and more than 22 million unique passwords.
In April 2019, third-party Facebook app datasets were exposed. One database had more than 540 million records with account names, Facebook IDs and other personal data.
A few months later, in July 2019, a data leak at First American Financial, the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals.
This and many other data breaches that don’t make it into the news means the chances that your personal data has been stolen are very high, Tkacik said.
So what should consumers do?
One of the most effective ways to keep your accounts safe is to never reuse passwords, Lujo Bauer, CyLab faculty member and professor in the Electrical and Computer Engineering department at Carnegie Mellon and an author on the study, told Fox News.
“Reusing the same or a slightly changed password across accounts is a huge source of risk,” Bauer said via email.
“If — really, when — one site gets breached and the passwords used on that site are stolen, attackers can — and do — try using the stolen passwords to log on to other sites as well. Supposedly this is how Mark Zuckerberg’s Twitter and Pinterest accounts were hacked,” he added.
The upshot is, always create uniquely different passwords for different accounts.
“Of course, it’s next to impossible to remember as many different passwords as we have accounts, so many of us use password managers, which make it easy to ‘remember’ a different password for each account,” Bauer said. “On top of that, password managers typically offer to create strong passwords for you, so you don’t even have to worry about whether your password might be easily guessed by an attacker.”
Gerald Beuchelt, Chief Information Security Officer, LogMeIn, a remote connectivity software company, agrees.
“Some of the most common ways people are leaving themselves vulnerable online is by using weak, easy to crack passwords, and then re-using those same passwords on their other online accounts,” Beuchelt told Fox News.
“Taking just a few simple steps to improve your password behavior can lead to a significant increase in your online security,” he said.