Password Changing After a Breach June 1, 2020 https://www.schneier.com/blog/archives/2020/06/password_changi.html After a breach, users rarely change their passwords, and when they do, they're often weaker Study: "(How) Do People Change Their Passwords After a Breach?" (PDF - 209 KB): https://www.ieee-security.org/TC/SPW2020/ConPro/papers/bhagavatula-conpro20.pdf
I suspect many of you use your browser as a storage area for many of your login passwords. Me too. For ease of use they’re great. I order my washing powder online, as well as my dog food and a few other bits and pieces. If my password was compromised at any of these website would I care? What’s anyone going to do – send me free dog food. Discaimer: I NEVER store my credit card details at any of these sites. I also use the same password in multiple websites. Is it a risk? Maybe, but look at the stats. In 2019, so far, hacked website included a collection of 2.7 billion identity records, consisting of 774 million unique email addresses and 21 million unique passwords. These huge numbers are meant to frighten you, but in reality they do the opposite. It’s one thing to hack that many passwords, it’s quite another to weaponise them. If mine was one of 21 million passwords hacked, what have they got. My name, address, phone number – and the type of dog food I order. FYI, it’s Black Hawk Lamb And Rice. All this information is pretty much general knowledge. Would they even bother with a spear phishing attack to try and access my financial or banking details. In most cases it’s a lot of work to find out that the trip has not been worth it.
