Most Internet users also don't change their account passwords immediately after knowing they've been compromised, according to a recent study published by CyLab, Carnegie Mellon University's security and privacy research institute.
Only about one-third of users will choose to change their passwords after they've been compromised.
The study collected actual cyber data from the university's Security Behavior Observatory, where 63 accounts out of 249 users had compromised passwords, and the research team then conducted public security alerts on those accounts.
And of those 63 users, only 21 ultimately chose to change their passwords, and of those, only 15 completed the password change within three months.
In addition, the study noted that of the 21 users who changed their passwords, only nine chose to change to a more secure, complex password, while the rest chose to replace characters and numbers that were extremely similar to their original password.
The study also says that it's not just that most users still lack awareness of password security, but it's also related to the lack of adequate security alerts on websites.
The study, presented at the IEEE 2020 Technology and Consumer Protection Symposium, is not based on survey data, but on data generated by actual browsers.
Although small in scale, it is more accurate relative to other studies because it more accurately reflects the subjective behavior of users in reality.