Follow Us

Like what you're reading?

Subscribe to receive periodic updates about new posts by email, or follow us via Twitter or RSS.

Please enter a valid e-mail address to subscribe.


You have subscribed.

67 Percent of Internet Users Haven’t Changed Passwords After Heartbleed


heartbleed 300When news of the Heartbleed security bug broke in early April, it seemed as though the Internet security apocalypse had arrived. Esteemed IT security guru Bruce Schneier declared the bug “catastrophic” before channeling Spinal Tap with the statement, “On the scale of 1 to 10, this is an 11.”

The New York Times reported that “up to two thirds” of websites could be affected, including widely used and trafficked sites like Gmail, Facebook, Yahoo and Tumblr. Suddenly the Internet was full of experts and journalists dispensing advice and analysis.

Here at Software Advice, we wanted to know: after all all the news coverage, are people actually taking Heartbleed seriously? How many have done as the experts advised and changed their passwords? What have businesses done to educate their employees? We surveyed 3,000 people in the U.S. to learn the answers to these questions and more. The survey included six questions, each of which was seen by at least 500 unique respondents. Here’s what we found.

Key Findings

  • Only half of all respondents know what Heartbleed is, with the 18-24 age group being the least informed of all.
  • Two thirds of respondents haven’t changed a single password to protect any of their accounts.
  • Many employers are indifferent and/or uninformed—over 75 percent of respondents say they’ve received no advice about Heartbleed in the workplace.

Catastrophe? What Catastrophe?

So, what percentage of the public is actually aware that we’re in the midst of an Internet security crisis? To begin, we asked respondents to identify what Heartbleed is by picking from a range of five options (none of which were too difficult).

And yet, even though the survey was conducted online—meaning everybody who answered has Internet access, and was thus likely confronted with news headlines about the bug on numerous occasions—the degree of ignorance revealed in the results was startling: only 53 percent of respondents made the right choice.

“Heartbleed” has been in the news a lot lately. It is:


When we dug deeper into the data, we found that the worst informed group was also the youngest—and allegedly most tech-savvy. Only 37 percent of 18- to 24-year-olds picked the correct answer:

Stupid Youth Chart.crop

*Denotes an option offered in the survey, but not selected by any respondents.

By contrast, respondents in the 65+ age group (many of whom were already middle aged when Tim Berners-Lee invented the World Wide Web) were better informed, with 39 percent selecting the correct answer.

Of course, this may reflect not so much a lack of technical awareness but rather a lack of interest in the news in the younger age group, many of whom are presumably too busy posting selfies on social media to worry about an Internet catastrophe. Regardless, it’s startling that a generation raised on the Internet is the least informed about its safety.

A Significant Majority Didn’t Change a Single Password

Next, we asked about the specific actions respondents took in the aftermath of Heartbleed to protect their personal data from exposure. Most of the advice in the media focused on password security and website vulnerability scanning tools, so we designed our questions with those security steps in mind.

We first asked respondents which passwords they had changed on various types of websites, from email to e-commerce. Given the high degree of ignorance about the Heartbleed vulnerability exposed in question one, it wasn’t surprising to discover that 67 percent of people surveyed had done precisely nothing to secure any of their accounts.

After the Heartbleed Internet bug was exposed, did you change your password(s) for any of the following types of accounts?

Question 2 Heartbleed crop

It was alarming to see that only 19 percent of respondents had changed their email passwords, even though popular providers such as Gmail and Yahoo were affected by the bug.

On the other hand, many banks and large retailers such as WalMart and eBay stated publicly that their systems were not affected by Heartbleed, and so the fact that only 18 percent of respondents said they had changed the passwords on their financial accounts may be less of a cause for concern.

That said, given the limited level of Heartbleed awareness revealed by the first question, it seems likely that the banking and shopping percentages are as low as they are due to indifference and ignorance of the problem, rather than a sudden outburst of enthusiastic research into the state of the American banking system.

And of course, if customers are reusing passwords (as many do) from affected accounts on unaffected accounts, they’re still at risk.

Website Scanning Tools Were Largely Neglected

People use passwords all time, but most aren’t accustomed to scanning the websites they visit for vulnerabilities. As such, it was less surprising to learn that the various online website scanning tools provided by Google, McAfee and others completely passed 77 percent of respondents by.

After the Heartbleed bug was exposed, scanning tools were offered online to check website vulnerability. Did you use them?

Did you use scanning tools.crop

Meanwhile, 10 percent of respondents said they checked “important” sites, while a hardcore 6 percent checked every site they visited. In short, approximately 16 percent of respondents made effective use of these tools—a figure close to the 19 percent who changed the passwords on their email accounts.

So, does this 16 percent figure represent the percentage of people who take their online security seriously? Perhaps. We next asked about the adoption of specific enhanced security measures, such as password managers or enabling two factor authentication (both steps recommended by experts and journalists in multiple articles relating to Heartbleed).

We found that the number of people taking proactive steps to enhance their security mapped closely to the 16 percent who had used scanning tools. Presented with a range of enhanced security measures, 15 percent replied with, “I already used at least one of these.”

On the other end, 71 percent of respondents didn’t use any of these measures—which at this point comes as little surprise.

After hearing about the Heartbleed bug, which of the following security tools did you start using?

question 5 final.crop


Employers Are Complacent, Putting Data at Risk

Perhaps the most alarming results of our survey were those we received when we asked respondents which passwords their employers had asked them to change. Even for such a heavily used service as email, only 13 percent replied that their employers had advised them to make changes, while 77 percent said they had received no advice about any of the accounts we listed:

After the Heartbleed bug was exposed, which of the following types of accounts did your employer advise you to change?


Of course, while some of the account types listed above are more relevant for work than others, there’s no reason for employers to be complacent. That is, unless they believe employees never do personal things on work computers, in which case they have more serious issues than Heartbleed worry about.

This employer complacency—or perhaps ignorance—is all the more unfortunate because, when asked what they would do if their employer asked them to change passwords, 50 percent of respondents said they would do as requested.

If your employer asked you to change any passwords after hearing about the Heartbleed security bug, would you?

4. If your employer asked.crop

Given that half of respondents don’t even know what Heartbleed is, it’s plausible to assume that at least a portion of the 31 percent who answered “I’m not sure” did so because they’re similarly uninformed. With more information, and perhaps better education from their employers, the 50 percent willing to change their passwords upon request may well have been higher.


So, what have we learned? There’s a shockingly mediocre level of public awareness about Heartbleed, and the widespread apathy (and/or ignorance) about how to protect personal data is leaving the majority of computer users exposed to risk.

Even a huge news story apparently cannot make people change their habits: we launched this survey soon after went public with its recommendation that account holders change their passwords.

Most alarming, however, is the degree of complacency among employers, especially in light of the fact that 50 percent of respondents would change their passwords if asked. Of course, given the high degree of ignorance about Heartbleed exposed by our first question, it’s possible that some of our respondents were given advice at the workplace but weren’t really paying attention.

Either way, employers face a major challenge when it comes to improving security awareness in the workplace. (And while they’re at it, they should probably avoid hiring 18-to-24-year-olds to manage their security.)

Heartbleed logo created by Codenomicon, used under CCO.

Share this post:  
Daniel Humphries

About the Author

Daniel Humphries is the Managing Editor of IT Security at Software Advice. He interviews experts, writes articles and conducts behind-the-scenes research into the rapidly changing cyber security landscape, all with the goal of bringing clarity to the bewildering assortment of IT security buzzwords and technologies.

Connect with Daniel Humphries via: 
Email  | Google+  | LinkedIn

  • Jeffrey Goldberg

    This is an excellent study and report, but I’ve got a couple of fine-grained questions.

    I’m a bit surprised at the age difference you found. First it could be a statistical artifact of checking for a whole bunch of differences without taking into account that some things will occur by chance.

    Also, if this age difference turns out to be statistically supported, I’ve got questions about your sampling. Were these telephone interviews, and where calls only made to landlines? If so, then your sample may be atypical, particularly of the young.

    I’m not trying to diminish the excellent and very useful work you’ve done here; I’m just trying to get more out of it by having a better understanding of the methods of data collection and analysis.

    • Daniel Humphries

      Thanks, I’m glad you found it interesting. I was also surprised by the result for the younger age group- in answer to your question it was an online survey, therefore everybody who answered it was at a computer, which makes the results even more striking.

  • Pingback: You’ll Be Surprised How Many People Did Nothing About Heartbleed | Re/code

  • Pingback: You’ll Be Surprised How Many People Did Nothing About Heartbleed | TechNewsDB

  • Pingback: User and Site Heartbleed apathy exceeds action

  • WinnieRhodework

    Wow, that is pretty crazy findings! So many people have not changed their passwords yet. I am lucky I use a password manager ( and have changed all my passwords a while ago and I think I will do that again in couple weeks just for the piece of my mind. It is sad people are not taking care of their privacy and passwords.

  • Pingback: EBay’s Massive Security Breach: What It Means for You | Sharing Interesting Stuff, Updates News & Free Tips

  • Pingback: EBay’s Massive Security Breach: What It Means for You | Mobile Apps Now