3

Does anyone know of any study or any data whatsoever which might indicate how many users actually change their passwords after they have been notified that their credentials appeared in a breach?

john doe
  • 648
  • 4
  • 15
  • Can we assume that you mean web services and not corporate accounts? – schroeder Nov 22 '19 at 19:48
  • Have you looked this up? I'm finding hits ... https://www.zdnet.com/article/google-youre-sticking-with-passwords-that-have-already-been-hacked/ – schroeder Nov 22 '19 at 19:49
  • That google study is only if a user attempts to use a previously compromised password, not whether or not they changed it after they had been notified that their personal account credentials were compromised. Yes this is all in reference to web services. – john doe Nov 22 '19 at 19:53
  • I'm not sure how you are concluding that. The Google paper is about changes after being notified, as tracked by their extension. – schroeder Nov 22 '19 at 20:27
  • I'd hope that it would be a best practice for the provider to force users to pick a different password - to actually compare old and new and require that the new password be different, as a one-time assurance activity (at which point the answer to your question would be a cheery "100%!" ;) But I can see why some orgs might choose otherwise, though. – Royce Williams Nov 22 '19 at 21:48
  • The best thing an organisation could do is to generate new passwords for all compromised accounts and instruct their users/clients to use the "I forgot my password" mechanism. – Jeroen Nov 22 '19 at 22:05
  • @Jeroen I wouldn't generate new passwords - I would disable the password, effectively locking the account and forcing a password reset. Also, the question seems to be about a password leaked in any breach. While I would certainly freeze accounts that were compromised on my own service, I doubt I would freeze an account who's credentials were leaked from another service, even if matching. – Conor Mancone Nov 23 '19 at 02:52

0 Answers0