Password Changing After a Breach

This study shows that most people don’t change their passwords after a breach, and if they do they change it to a weaker password.

Abstract: To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies’ post-breach practices. To study the effectiveness of password-related breach notifications and practices enforced after a breach, we examine­—based on real-world password data from 249 participants­—whether and how constructively participants changed their passwords after a breach announcement.

Of the 249 participants, 63 had accounts on breached domains;only 33% of the 63 changed their passwords and only 13% (of 63)did so within three months of the announcement. New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. Concerningly, new passwords were overall more similar to participants’ other passwords, and participants rarely changed passwords on other sites even when these were the same or similar to their password on the breached domain.Our results highlight the need for more rigorous password-changing requirements following a breach and more effective breach notifications that deliver comprehensive advice.

News article.

EDITED TO ADD (6/2): Another news aricle. Slashdot thread.

EDITED TO ADD (7/1): This entry has been translated into Spanish.

Tags: , ,

Posted on June 1, 2020 at 6:08 AM21 Comments

Comments

Nick June 1, 2020 6:41 AM

This exemplifies the need to change to a system other than user-generated passwords. It seems to be in that category of article that essentially says “there’s a problem with humans. We need to change human nature!”. Any behavior that widespread isn’t going to be fixed by education, it requires an engineering control.

John B June 1, 2020 6:58 AM

There is often a disconnect between how important the provider regards themselves and how important the customer regards them. I have layers of security for passwords:

Savings – all different

A few important sites: Same but I’d change all if one were breached

The hundreds of others with static rules: Password the same, but complicated. If its breached, I hate being forced to change, as I’ll never remember I’ve done so, so if my browser forgets, so will I, and I’ll probably create a new account with the company. I certainly won’t attempt to move hundreds of passwords forward

The few that keep forcing password changes: A simple password in a series with a predictable pattern. I will generally look for alternative providers too.

And I write down most of the letters in the key passwords on paper, as an aide memoire, and the mass of sites in a wiki on my home machine. Now this is less secure, but is so much easier to manage than unique passwords and key managers running on Linux, Windows, Android, IOS, and 4 flavours of browser.

Life’s too short to obsess over passwords, and if someone can hack my TripAdvisor account, I won’t loose sleep over it.

SJ June 1, 2020 7:02 AM

For every service I need to sign up, I create an email alias (not catch-all, but actual alias) like service.tld_2020.06.01@mydomain.tld

In addition I use usually pwgen -ync 40 to generate a password. In cases where no such password is allowed, I just adjust it to the max. options I have from the service.

Email and password then get saved to my password manager “pass” – a “simple” bash script that makes use of gpg and git to encrypt data have sync accross multiple devices.

The reason I started with generating email aliases for every service is that it allows me to retrace, who leaks my email address. In addition I need some random element, otherwise it would be too easy to guess on popular services.

Marcos June 1, 2020 8:29 AM

So… The site just disclaimed that it’s unable to protect a password making my security efforts moot, and yet it expects me to put more effort into security there?

(Yeah, if it’s anything important, I will just generate a new password, but most people have to invent their own passwords, and more often than not it’s not anything important, so I won’t either. Besides, the more restrictions the site places on the password, the more likely that I’ll just stop using the site instead of generating a new password.)

Clive Robinson June 1, 2020 11:20 AM

@ ALL,

Be very cautious when you read a statment such as,

    “New passwords were on average 1.3× stronger than old passwords (when comparing log10-transformed strength), though most were weaker or of equal strength. “

The strength of passwords is actually very dificult to gauge, and easy to get wrong.

But also consider if you have a strong password by some measure how can you make it any stronger?

That is you have a medium probability of keeping it at approximately the same strength and a slightly larger probability of making a weeker password if the process you use is random.

And random passwords are considered the “gold standard” irrespective of if the alphabet set is “individual characters” or “individual words”.

The thing is most humans “can not do random” so if given a perfectly random charecter string or list of words they will do one of two things,

1, Change it to be more memorable by some process.

2, Write it down or record it by some computerized process.

Both of which are considered undesirable by those pushing security without thinking it through.

The other thing to consider is that humans might well set their password strength by what is important to them.

If they have several news accounts, blog accounts etc, they may well use weak and easy to remember passwords for those, whilst reserving stronger passwords for accounts they consider more important such as “social media” and “banking/finance”.

After looking at “password issues” for around a third of a century, the one thing that has become abundantly clear to me is that,

    All authentication systems fail to the weakest link and that is almost always directly or indirectly the human.

And that includes that perversion known as “bio-metrics” which should never ever be considered an authentication mechanism, because you can neither change or revoke them.

MRX June 1, 2020 12:21 PM

I strongly believe that WebAuthn is the way to go for website authentication. This standard uses public-key crypto to authenticate, so the website/service provider has little responsibility over the Public Keys they get. An attacker does not benefit from them.

The Private Key is saved on people’s local devices or on dedicated, more trustworthy hardware solutions. Of course people are still responsible for their stuff, but the standard avoids services specific secrets to minimise responsibility and obtrusiveness. And service providers cannot screw up with user secrets anymore.

MikeA June 1, 2020 1:24 PM

@Clive: Yes, “password strength” indicators are ludicrous. I have often seen them rate, e.g. passphrases as “less strong” than street addresses. And don’t get me started on systems that limit the length, or worse, accept longer passwords, but ignore all characters after something like the first 5.

But on to my real complaint: In the last few days I got a warning from one hosting provider that there was a concerted phishing attempt to harvest credentials. Normal stuff, except that at the same time my mailer started complaining about an expired certificate on their email host. Digging further, I found that although there was no message to me of impending expiration, there was an item in the “status”, which one has to look for, on their administration page. It was a warning of the impending expiration, dated after the cert expired. At least I got some useful info, their CA has changed its name, possibly because they were caught issuing forged certs a few years back…

So, when you get a notice of a breach, with a handy link to reset your password (which will of course want your old password), what do you do? “Do you feel lucky?”

Most sites seem to be working very hard to make themselves indistinguishable from miscreants.

SJ June 1, 2020 1:50 PM

I don’t think WebAuthn will be a success for the simple reason that you can’t make backups. So the goal of it is that 08:15 users don’t use the same easy password on every site. However, if they start using WebAuthn and if the token gets lost, stolen, damaged: then all those users can’t access anything anymore.

For me: If I can’t take a backup then that data is not worth a dime. So trusting in a token that I can’t backup seems pointless to me.

Humdee June 1, 2020 1:51 PM

@John B. There is often a disconnect between how important the provider regards themselves and how important the customer regards them.”

Exactly. Which is why I pay no attention to password security research anymore. I do not care if someone hacks my reddit account or my gmail account. There is no PII on either account.

Much of what goes on with password security is an attempt to turn a website problem to a user problem. If the website gets hacked that is their problem, not mine. I’ll just create a new account and go about my business.

Rombobjörn June 1, 2020 2:44 PM

Do note that their dataset is biased.

I was wondering how the researchers got all that data on people’s passwords, so I had a look at the paper:

To collect this information, participants’ home computers were instrumented with software that collects data via system-level processes and browser extensions. Specifically, the browser extensions were installed only in participants’ Google Chrome and Mozilla Firefox browsers, and recorded every entry into an HTML input field at the time of browser events such as clicks, key presses, form submissions, and page loads.

I for one would never allow anyone to do that to my computer.

the participants enrolled in the SBO study may be biased towards less privacy- and security-aware people, given the nature of the SBO data collection infrastructure.

Yeah I bet.

Clive Robinson June 1, 2020 3:14 PM

@ MikeA,

Most sites seem to be working very hard to make themselves indistinguishable from miscreants.

Yes, that does appear to be the trend these days, as well as actively surving up malware through advertising and similar.

I’m steadily coming to the conclusion that as an “information supplier” at a “leaf node” your opportunity to make money and not get tarnished be crooks is very very small and in reality falls to,

1, Charity.
2, Sponsorship.
3, Convensional sales.

That other “information based” earnings such as “advertising” are not even worth considering. Thus those intermediate sized information suppliers such as the old print magazines try to emulate the large information suppliers/controlers like Alphabet and Facebook etc by stealing information by any devious means possible from their patrons.

Whilst I’m unaware of intermediate information companies (with the exception of linkedin) stealing users passwords we know that Facebook has been caught “analysing” passwords collected as “plaintext”.

Thus it’s safe to say that the sending of a password in any way that an organisation like Facebook can get in “plain text” is a very very bad idea. Especially when there have been ways known how to avoid this since before the begining of this century.

Peter A. June 2, 2020 4:44 AM

@SJ: good practice

I also keep a separate domain for spammy emails, but I do use a catch-all, not individual aliases mostly (there are very few actual aliases, but the rest goes to catch-all). The reason is that I do not have to access my systems to add an alias when some{thing,body} randomly insists on having my email. I just invent something on the spot and add a record to my database later (if I remember at all). Of course, if I deliberately open an account with some service, I add a record to my database at the same time. I also take out some bytes out of /dev/random to serve as a password (base64’ed).

If one of these emails get spammed I block it at the MTA, stop using the servce and make a note in the database. The catch-all approach opens some window for spamming by randomly guessing userparts, but in practice it happens very rarely and spam filter does a good job. I’ve also blocked commonly used userparts straight away.

The database I use is sqlcipher with a little private patch to disable command line history on startup and enable some useful stuff – otherwise it’ll be insecure to use the command line. The tool is mostly intended as a secure storage library for apps, not for direct use, and it is definitely not for average Joe, but I just like SQL 🙂 I keep there all the spammy emails I have used, urls/names for entities I had provided these emails, passwords for the accounts if any etc. I can make any number of backups easily, just copy the database file. I also do a plaintext export once a while in a somewhat more secure environment, and store it offline, to protect against forgetting the passphrase (if I hit my head on something etc.)

I only keep relatively unimportant passwords in my database. The important passwords I just remember. Most of these are used to access institutions that have physical presence, so I can always ask for a reset in person if I forget a password (which had happened a few times). For those which are rather important but have no physical presence or are far away (foreign providers for example) I try to remember passwords but also keep recovery instructions written down on paper and stored semi-securely.

Wael June 3, 2020 1:37 AM

On some accounts, my password is really, really weak[1], but my username is hard to crack 🙂

[1] Is my password really, really weak, or “really, really weak”? What’s wrong with that?

Mike Ferguson June 3, 2020 3:51 PM

Facebook approached me and said someone from China had been trying to crack my account and I should change my password. My password had been 2 random numbers glued together. Uncrackable.

I changed it. Bad decision.

Trudi Fenster-Klotz June 3, 2020 10:37 PM

@Wael

my password is

It’s not safe to mention your use of your password in public.

I am considering a kind of “plum pudding” [1] password system – pick a (very) long random string, then change according to a memorable system one character for each password needed. Calculate digests optional.

  1. https://en.m.wikipedia.org/wiki/Plum_pudding_model

Wael June 3, 2020 11:06 PM

@Trudi Fenster-Klotz,

It’s not safe to mention your use of your password in public.

I live on the edge! Besides, my username is secret. I should be safe, right? 😉

ThaCrip June 4, 2020 12:51 AM

@Trudi

One could use something like Diceware (i.e. eff dot org/dice) along with some password padding. or even make a okay-ish password (like something not too easy to guess) and pad it. for example…

—–(1$)My.Okay.Password.Here(1$)—–

with that you got at least one lower case letter, upper case letter, a symbol and a number.

@Wael

It’s still unwise to use a TOO easy to guess password. because while it’s nice your username is not easy to guess, which will help, it would be unwise to rely solely on your sign-in name being obscure.

@Mike Ferguson

Using a password manager would be optimal (and to state the obvious… make backup copies of the password managers database file so if your computer crashes you can easily restore the password managers database file) as with a long password there which will be a bunch of random numbers/letters(upper and lower case)/symbols it should be pretty much uncrackable within a reasonable time frame. relying strictly on numbers only I would think is unwise on any account you care about as it’s not as secure as something like Diceware (with say at least a six word password) and I would even add in a little padding. so for example… Word1.Word2_1@1_Word3.Word4.Word5.Word6 ; because it’s unlikely someone would guess a 6 word randomly chosen Diceware passphrase (which will be random if your using real dice as rolling five dice at once gives you the first word in your passphrase by reading say left to right as the dice fall on the floor/table in front of you and you simply convert that five digit number to a word using the eff_large_wordlist.txt from “eff dot org/dice” on top of a little padding.

Wael June 4, 2020 1:31 AM

@ThaCrip,

It’s still unwise to use a TOO easy to guess password […] it would be unwise to rely solely on your sign-in name being obscure.

First of all, it’s more than too easy to guess[1]: it’s effectively public. Secondly (of all) I’m being sarcastic and throwing a bait for someone to bite. I’m asking: why is it unwise to reverse the roles of a username and a password? Now that you have bitten, elaborate!

[1] Obviously (or obviously not) my proposal is hypothetical, with some “humor”

myliit June 4, 2020 6:56 AM

My guess is that the following quote is crap. Maybe someone is trying to kill off SoS participants. What exactly would covid-19 be breeding on?

“Rubber/latex gloves don’t help shoppers protect against covid, being porose and turning into breeding grounds for …”

Probably crap or references please.

Of course, gloves in general, may be a good idea.

Trudi Fenster-Klotz June 4, 2020 8:20 AM

@Wael

on the edge

It’s also not safe to mention or use your user name in public, even if it is ‘hard to crack’, or ‘secret’, because then it won’t be hard to crack, or secret.

[1] W.V. Quine (1940) Mathematical Logic, §4 Use versus mention, pp. 23–5

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.