The National Institute of Standards and Technology (NIST) no longer recommends regular password changes for employees, as while updating passwords every few months does improve password security on paper, forcing employees to regularly change passwords does not improve security in practice. In fact, it often makes things worse as employees start with a strong password, and over time the strength of their passwords decreases.
One of the most important password best practices is to ensure all passwords are changed after a data breach, which is something NIST recommends in the strongest possible terms, but four-fifths of individuals do not take sufficient steps to protect themselves against fraud after being notified about a data breach.
A recent survey conducted on 1,050 adult consumers by Distilled Insights Group (DIG) in conjunction with the Identity Theft Resource Center (ITRC) explored attitudes to data breach notices and data and account compromises. Alarmingly, the survey revealed 16% of consumers took no action after being notified about a data breach, and 48% of respondents said they only changed the password on their breached account. Only 22% of respondents said they performed password resets on all their accounts after a data breach.
If everyone used a strong password generator, such as those provided with password managers, changing the password on the breached account and no others would not be an issue, as all of their passwords would be unique. The problem is many people do not use password generators and, consequently, many of their passwords are either the same or similar. That means if an attacker can obtain a single password, it makes hacking other accounts much easier. The survey revealed only 15% of all respondents used unique passwords for all of their accounts. 85% of respondents were guilty of reusing passwords on multiple accounts. One breached password means multiple accounts could be accessed.
While many breach notification letters explain to consumers that they can place a credit freeze on their accounts, only 3% of respondents said they did. 11% said they took advantage of credit monitoring services, which will alert them if attempts are made to use their information to open accounts and lines of credit, but those services will not prevent identity theft and fraud.
Individuals who do not follow recommended password practices were asked if they felt their password practices were good enough, and 33% said they weren’t, but still persisted with poor password practices. Worryingly, 13% of respondents said they do not think it is important to use strong and unique passphrases.
Data breaches are occurring at record levels, and it is common for accounts to be breached. 72% of respondents said they have received a notification about a data breach, with 55% of respondents saying one or more of their social media accounts had been compromised – 42% said Facebook and 32% said Instagram.
So what reasons were given for the failure to change passwords? The most common reason, provided by 26% of respondents, was they understood that data was already out there so there was little point. 29% said they believed the breached entity was responsible for securing their systems and would address the issue, 17% were unsure what to do after receiving a breach notification letter, and 14% of respondents thought the breach notifications were scams.
The survey clearly demonstrated a shockingly high disconnect between knowledge of security best practices and putting those best practices into action following a data breach, and also suggests that breach notification letters do not clearly explain the importance of taking action.
“Organizations need to review how they notify consumers of data breaches to reduce the level of inaction and improve the credit freeze adoption rates,” said ITRC president Eva Velasquez. “Also, businesses should recommend to consumers that they reset any passwords that are not unique and offer multi-factor authentication with an app.”