After the breach: Change your password, quickly
Introduction
When you hear the news that a company of which you’re a customer has suffered a data breach, your first thought is likely to be whether your personal information is in the hands of hackers. The breach story will often give you an insight into what data wasn’t or was compromised, with online account passwords being one of the usual suspects. The next legitimate question to come to mind: Should I change my password?
If you think your online account has any value, then changing your password is the right first step. Why? Because there’s a chance that bad actors have taken over your account and are posing as the legitimate owner — draining funds, accessing sensitive personal data, and even creating a new account. Plus, if you reuse the password of your compromised account for another account with another company, adversaries can use basic social engineering to hack both of your accounts. As such, it makes good sense to change your password, and you’d likely receive a data breach notification from the company.
Phishing simulations & training
But are these notifications effective at getting people to take changing a password seriously?
Password-related data breach notifications and their impact
Many companies that have been a victim of a data breach (eBay and Sony, for example) have this policy of issuing breach-related notifications to their customers. These announcements often highlight the cause of the breach and advice users to change their passwords following an adverse event. But these messages aren’t as effective at inspiring password change as the companies issuing them think.
In a study presented at the IEEE 2020 Workshop on Technology and Consumer Protection, researchers from Carnegie Mellon University found that only one-third of people change their passwords following a data breach announcement. Interestingly, the finding isn’t based on survey data collected from participants, but on browser histories willingly shared for the research.
Researchers tracked and analyzed the online activities of 249 people who signed up with Carnegie Mellon’s SBO (Security Behavior Observatory) unit to share their browser history. Some of the volunteers were victims of data breaches that occurred between January 2017 and December 2018 (including breaches impacting Yahoo and Deloitte). The research team used the data to investigate not only web traffic but also passwords stored inside the browsers and used to log into websites.
Based on their analysis, the researchers revealed that 63 of the 249 voluntary participants were affected by the breach. But what’s disheartening is the finding that only 21 (33 percent) of the victims changed their password after the data breach announcement. Worse, most of the new passwords were similar to the ones these victims had on other accounts. They were so similar that a simple brute-force attack would provide hackers with access to those accounts.
What’s more, 6 of 21 people who changed their password after a breach took longer than three months to do so. Plus, only 9 of the 21 victims successfully created a stronger password, based on their password’s log10-transformed strength. The rest came up with passwords of similar or weaker strength, usually by using character sequences that were similar to other passwords stored in their browser.
Overall, the outcomes indicate that password breach notifications are failing at causing people to take appropriate action.
From a preventive standpoint, researchers conclude that companies issuing breach notifications detail the risks of password reuse, offer actionable instructions on how to create strong passwords, and strongly recommend users that they change their passwords beyond the breached account. They also say that regulators could encourage companies to use alternative methods of authentication, such as 2FA (two-factor authentication. Lastly, companies can be made to send repeat notifications until they get word that the message has been understood and users have implemented the advice.
Conclusion: Stay ahead of adversaries by changing your passwords regularly
While it’s a good idea to change your password quickly after a breach, you can make life difficult for hackers by making regular password changes. Taking this step ensures that even if someone manages to get hold of your online account credentials, they won’t be able to leverage them forever. How often should you change your password depends on how critical your online accounts are.
Passwords for accounts linked with sensitive data like your social security code should be updated more often than others. We recommend that you should change these account passwords every 90 days. Passwords for less important accounts can wait a little longer, but you should still change them every 180 days. However, these timelines apply if you’re using a password manager that automatically creates hard-to-crack passwords. If you’re relying on yourself to choose a strong password, passwords may need to be changed more frequently.
Additionally, we suggest using two-factor authentication for your most important accounts, like email and online banking. This adds an additional layer of security by requesting a second verification that you are the legitimate owner of an account. With 2FA activated, the company with which you have an account will send you a code on your email or phone to verify your identity. Therefore, even if a hacker manages to get hold of your password, they won’t be able to log into your account unless they have one of your devices.
By implementing these practices and educating yourself the dangers of reusing passwords and weak passwords, you’ll go a long way toward safeguarding your personal information.
Phishing simulations & training
Sources
- Sruti Bhagavatula, Lujo Bauer, Apu Kapadia, "(How) Do People Change Their Passwords After a Breach?"
- Why changing passwords isn't the answer to a data breach, Information Age
- 5 common password mistakes you should avoid, WeLiveSecurity
In this Series
- After the breach: Change your password, quickly
- Tax scam season: How to protect your data from common scams in 2024
- Security awareness for kids: Tips for safe internet use
- Celebrate Data Privacy Week: Free privacy and security awareness resources
- Consumer data, who owns it and who protects it?
- Human error is responsible for 74% of data breaches
- What is a social engineering attack?
- Biggest cybersecurity mistakes by large organizations
- 4 common social media scams (and how to avoid them)
- From theory to practice: Designing a successful security awareness training program
- Understanding cyberattacks: Types, risks and prevention strategies
- Securing digital frontiers: The importance of information and IT security awareness training
- Optimizing your corporate security awareness training: Strategies and techniques
- What is security awareness: Definition, history and types
- Top 10 security awareness training topics for your employees in 2023 and beyond
- AI best practices: How to securely use tools like ChatGPT
- Connecting a malicious thumb drive: An undetectable cyberattack
- 5 ways to prevent APT ransomware attacks
- 4 mistakes every higher ed IT leader should avoid when building a cybersecurity awareness program
- ISO 27001 security awareness training: How to achieve compliance
- Run your security awareness program like a marketer with these campaign kits
- Deepfake phishing: Can you trust that call from the CEO?
- Fake shopping stores: A real and dangerous threat
- 10 best security awareness training vendors in 2022
- How to hack two-factor authentication: Which type is most secure?
- Malicious push notifications: Is that a real or fake Windows Defender update?
- Free Cybersecurity and Infrastructure Security Agency (CISA) ransomware resources to help reduce your risk
- How IIE moved mountains to build a culture of cybersecurity
- At Johnson County Government, success starts with engaging employees
- How to transform compliance training into a catalyst for behavior change
- Specialty Steel Works turns cyber skills into life skills
- The other sextortion: Data breach extortion and how to spot it
- Texas HB 3834: Security awareness training requirements for state employees
- SOCs spend nearly a quarter of their time on email security
- Security awareness manager: Is it the career for you?
- Risks of preinstalled smartphone malware in a BYOD environment
- The ROI of security awareness training
- 5 reasons to implement a self-doxxing program at your organization
- What is a security champion? Definition, necessity and employee empowerment [Updated 2021]
- Excel 4.0 malicious macro exploits: What you need to know
- Worst passwords of the decade: A historical analysis
- ID for Facebook, Twitter and other sites? Not so fast, says security expert
- 3 surprising ways your password could be hacked
- Fake online shopping websites: 6 ways to identify a fraudulent shopping website
- All about carding (for noobs only) [updated 2021]
- Password security: Complexity vs. length [updated 2021]
- What senior citizens need to know about security awareness
- 55 federal and state regulations that require employee security awareness and training
- Brand impersonation attacks targeting SMB organizations
- How to avoid getting locked out of your own account with multi-factor authentication
- Breached passwords: The most frequently used and compromised passwords of the year
We’ll customize our demo to your
- Security awareness goals
- Existing security and employee training tools
- Industry and compliance requirements
Security awareness
Tax scam season: How to protect your data from common scams in 2024
Security awareness
Security awareness
Celebrate Data Privacy Week: Free privacy and security awareness resources
Security awareness