Though most people would change their locks after a physical break-in, fewer people—only 13%, in fact—change their passwords on websites that have experienced security breaches. And of this cautious 13%, many new passwords tend to be either weaker, very similar, or even the same as passwords used on other websites.
On paper, the solutions are easy. Some websites offer 2FA—two-factor authorization, which grants access to a site after successfully completing two verification steps—while others have forced password changes every few months. However, for the vast majority of internet users, changing passwords to something new and secure is a hassle they aren’t willing to endure. It becomes a test of both creativity and memory, fighting past weeks, months, or perhaps even years of allowing muscle memory to type in the same password over and over again. But if there’s one lesson to be taken from the internet, it’s that few things are genuinely secure—and that even fewer stay secure.
That was a lesson taught to over 69 million users of a popular virtual pet website, Neopets, when a recent security breach gave the hacker access to all email addresses, passwords, and other personal information of the site’s users. To make matters worse, it hadn’t been just a one-time breach; the hacker purportedly had live access to the database, which meant that they would be able to get copies of any new passwords that were put into place since the time of the breach. For millions of users, this was understandably a terrifying moment of clarity—not only for the value of their Neopets accounts, but for their data privacy and security on other websites. Chances were that the same email and password combinations (if not just the password) were used on sites containing far more sensitive information, such as addresses, financial information, and more.
For both these individuals and unaffected others rightfully concerned about their online security, the hassle of creating new and dynamic passwords ought not to be ignored any longer. Making new passwords and changing them periodically would be the best way to safeguard against breaches like the one at Neopets, but users must take care not to make weaker passwords, and to minimize reuse across the web.
Avoid simple changes to a previously-used password, such as by changing a single “i" to a “1”, or a “$” to a “%”. Keeping out any personally identifiable information such as dates or names would also help. Many websites already require that a password be at a minimum length that tends to be longer rather than shorter; strive for length. Those who don’t wish to create a nonsensical combination of letters, numbers, and characters themselves could also make use of secure password managers that automatically generate passwords; Apple, for instance, has a feature that does as much.
Remember, data privacy is something that concerns and affects all users of the internet. Stay aware, stay safe, and stay ahead.
 Daniel Tkacik, After a breach, users rarely change their passwords, and when they do, they’re often weaker, CyLab (May 26, 2020), https://cylab.cmu.edu/news/2020/05/26-password-breach.html.
 Samantha Lock, Neopets security breach: users’ data reportedly stolen, The Guardian (July 22, 2022), https://www.theguardian.com/technology/2022/jul/22/neopets-security-breach-users-data-reportedly-stolen.
 Neopets being actively hacked, passwords + emails accessible, Jellyneo (July 20, 2022), https://www.jellyneo.net/?comments=14086.