This archive report was first published on 8 July 2020.
July 8, 2020, was a day when a study from Carnegie Mellon University in the US shed light on a worrying trend: many people are slow to change their passwords after a breach.
According to the study, entitled (How) Do People Change Their Passwords After a Breach?, a significant number of participants reported intentions to change passwords after being notified that their passwords were compromised or reused.
However, the study found that even for those who did change their passwords, most took more than three months to do so, and many replaced their old passwords with weaker ones.
Moreover, the researchers claim that those who did change passwords tended to pick replacements that were more similar than before to all their other passwords.
This suggests that humans are not good at randomness – and not very good at reacting to data breach advice either.
So, what can you do to stay safe?
Firstly, if there's a valid reason to change one of your passwords, do it right away. This will keep you ahead of the crooks.
Secondly, avoid taking shortcuts by choosing quality passwords. Crooks will spot any tricks or patterns you use in order to make your passwords different yet similar enough to remember easily.
Thirdly, remember that you are not invincible. The crooks probably won’t crack your password if it's complex, but why take the risk that they might?
Lastly, don't use 2FA as an excuse to choose a trivial password or to use the same one everywhere – it's meant to be a second factor, not just a different sort of single factor.
Paul Ducklin, Principal Research Scientist at Sophos, emphasizes the importance of taking these precautions seriously.