Just one in three people changed their passwords following the notice of a data breach, according to new research from Carnegie Mellon University.
Of the people who took action and changed their password, most changed them to weaker or equally strong passwords, and only 13% took action within three months.
Participants in the study averaged 30 passwords similar to the password on the breached domain. On average, people only replaced four of those 30 passwords within a month after changing their password from the breached website.
Researchers concluded that breached companies need to do more to encourage password changes, advocating for more regulatory requirements.
“Regulators should also require that companies force password resets after a breach and provide actionable instructions on how to create “strong” passwords,” the paper stated.
If breached passwords overlap with other accounts, they expose individuals to credential stuffing cyber attacks.
Password managers, including those built into internet browsers Google Chrome, Microsoft Edge, and Mozilla’s Firefox, help, but the study says more should happen.
A password manager is essentially an encrypted digital vault that stores your login information for apps, websites, and other services, according to CNET.
Password managers can also generate strong, unique passwords, which can go a long way to ensuring if one website gets hacked, your stolen password won’t yield logins from potential credential stuffing.
Reviews of the numerous password managers available are just an internet search away from websites, including CNET, Consumer Reports, PCMag, and WIRED.
The Carnegie Mellon researchers followed the security practices of 249 individuals, focusing on nine data breaches, to determine how consumers tend to respond to news of a compromised account. One of the breaches studied was the massive Yahoo hack that compromised three billion accounts.