Survey result that 'most people do not change password even if account information leaks'

'Even in the event of a data breach, only one-third of the users change their passwords,' said a research team at Carnegie Mellon's

(PDF file) https://www.ieee-security.org/TC/SPW2020/ConPro/papers/bhagavatula-conpro20.pdf

Data breach victims aren't changing their passwords | TechRadar
https://www.techradar.com/news/data-breach-victims-arent-changing-their-passwords

The research team at Carnegie Mellon University conducted a 'password change timing' study based on browser traffic. The research team, based on data obtained from the school's volunteer group `` Security Behavior Observatory '' that agrees to share browser usage history etc. in order to support academic research, from January 2017 to December 2018 During the period, we collected login information, including the password used to log in to a specific website and the password stored in the browser, from the PCs of 249 subjects.

Analyzing this data, 63 out of 249 users have accounts in the domain where the information disclosure incident was announced. Of these 63, only 21 (33%) changed their passwords after the information leak. In other words, about two-thirds of the 63 people 'have not changed their password even after the information leakage incident.' In addition, of the 21 people who changed their passwords, only 15 changed their passwords within three months after the information disclosure incident was announced.

In addition, the research team is also investigating 'the strength of the password after the change'. The more complex a password is, the stronger it is against brute force attacks, which tries all combinations of strings in a brute force manner, so it can be said that the password is strong and difficult to break. However, in this survey, about one-third of the users who changed the password set a stronger password than before. The rest of the users used passwords that were mostly re-uses of the previous password string, or passwords similar to those used by other services.

TechRadar Pro, who reported this news, recommends using 'Have I been pwned?' to find out if your account information is leaked.

``Have I been pwned?'' that you can see if you were hacked and were on the leak list in the past by searching with your email address or ID name-GIGAZINE