Corpus ID: 216560194

(How) Do people change their passwords after a breach?

  title={(How) Do people change their passwords after a breach?},
  author={Sruti Bhagavatula and Lujo Bauer and Apu Kapadia},
To protect against misuse of passwords compromised in a breach, consumers should promptly change affected passwords and any similar passwords on other accounts. Ideally, affected companies should strongly encourage this behavior and have mechanisms in place to mitigate harm. In order to make recommendations to companies about how to help their users perform these and other security-enhancing actions after breaches, we must first have some understanding of the current effectiveness of companies… Expand

Figures and Tables from this paper

What breach? Measuring online awareness of security incidents by studying real-world browsing behavior
It was found that more severe incidents as well as articles that constructively spoke about the incident inspired more action, and the findings present a bleak view of awareness of security incidents. Expand


"What was that site doing with my Facebook password?": Designing Password-Reuse Notifications
Insight is provided into notifications used by companies in situations potentially involving password reuse and how notifications alone appear insufficient in solving password reuse. Expand
Understanding Password Choices: How Frequently Entered Passwords Are Re-used across Websites
It is suggested that users manage the challenge of having many passwords by choosing a complex password on a website where they have to enter it frequently in order to memorize that password, and then re-using that strong password across other websites. Expand
Do Users' Perceptions of Password Security Match Reality?
Large variance in participants' understanding of how passwords may be attacked is found, potentially explaining why users nonetheless make predictable passwords. Expand
Let's Go in for a Closer Look: Observing Passwords in Their Natural Habitat
The findings suggest that once a user needs to manage a larger number of passwords, they cope by partially and exactly reusing passwords across most of their accounts. Expand
Factors Influencing Password Reuse: A Case Study
This research studied the password policies of twenty-two universities and analyzed the potential reusability of the students, staffs, faculty, and other associated users' credentials for each of the universities' domains to limit the reuse of passwords. Expand
Protecting accounts from credential stuffing with password breach alerting
A privacy-preserving protocol whereby a client can query a centralized breach repository to determine whether a specific username and password combination is publicly exposed, but without revealing the information queried is proposed. Expand
Measuring password guessability for an entire university
This work studies the single-sign-on passwords used by over 25,000 faculty, staff, and students at a research university with a complex password policy to find significant correlations between a number of demographic and behavioral factors and password strength. Expand
The Password Life Cycle: User Behaviour in Managing Passwords
A password life cycle is identified that follows users’ password behaviour and how it develops over time as users adapt to changing circumstances and demands and is suggested that new approaches could be designed that harness existing user behaviour while limiting negative consequences. Expand
Why people (don't) use password managers effectively
A semi-structured interview study with 30 participants is described that allows for a more comprehensive picture of the mindsets underlying adoption and effective use of password managers and password-generation features and advocates tailored designs for these two mentalities. Expand
Data Breaches: User Comprehension, Expectations, and Concerns with Handling Exposed Data
It is found that users readily understand the risk of data breaches and have consistent expectations for technical and non-technical remediation steps, and participants are comfortable with applications that examine leaked data when the application has a direct, tangible security benefit. Expand