"Users Rarely Change Passwords after a Breach – or They Choose a Weaker Password"
A recent study conducted by Carnegie Mellon University's CyLab finds that users rarely change their passwords for accounts on breached domains. According to one researcher, only 13 percent of users changed their passwords within the first three months of a breach announcement. It was also discovered that those who do change their passwords after a breach often choose weaker passwords. Such findings raise significant concern as the pervasiveness and frequency of data breaches faced by companies grow. These findings come from the observation of more than 200 participants' security practices. Their behaviors were examined during times in which major breaches occurred. The researchers call on companies to take a more direct approach to encourage customers to change their passwords after a breach. This article continues to discuss key findings from the CMU study on password changes by users affected by breaches.