KnowBe4 Study: Survey of 2600 IT Professionals Shows Password Procedures Still = Security Fail

Share Article

Additional opportunity to provide advanced security awareness training to end users to further prevent successful breaches exists

Are your passwords weak?

Weak Password Test

KnowBe4, provider of the world’s most popular security awareness training and simulated phishing platform, surveyed 2,600 IT professionals to find out how they were managing passwords in light of the new changes proposed by the United States National Institute for Standards and Technology (NIST). Their findings show that businesses are open to the proposed pass phrase concept suggested by NIST, and illustrate additional opportunity to provide advanced security awareness training to end users to further prevent successful breaches.

NIST Special Publication 800-63B, “Digital Identity Guidelines,” states in that “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.” This means that password complexity has failed in practice. Verizon's 2017 Data Breach Investigations Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords, supporting the NIST conclusion.

KnowBe4 surveyed 2,600 IT professionals to further examine how organizations are managing passwords and determine how the proposed pass phrase concept stacks up against methods currently in use. The survey showed that 44% of respondents overall, (large organizations with 1,000+ employees and small to mid-size businesses), think a roughly 25-character pass phrase could work versus 35% who don’t believe it to be a viable option for their organization.

Other highlights from the survey include:

  •     Nearly 97% of large organizations have an enforced password policy compared to almost 88% in small to mid-size organizations.
  •     A majority (63%) of organizations do not allow password re-use, however this does not prevent employees from using the same password on multiple sites.
  •     Almost half (49%) of large organizations believe their current password policy is insufficient, while 48% of small to mid-size organizations believe their password policy is good enough.
  •     Large organizations (1,000+ users) prefer multi-factor authentication (MFA) with only 38% stating they do not use it, compared with 62% of small to mid-size organizations stating they do not use MFA.

“Passwords are a known weakness in corporate security and have come under more intense scrutiny recently. Most organizations have password enforcement in place, but most aren’t taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication,” said Stu Sjouwerman, CEO of KnowBe4. “It is well-known that employees are the weakest link in security and that includes password usage. IT can’t expect employees to put password policies in place on their own. It’s an effort that IT must lead.”

Bill Burr, former NIST (National Institute of Standards and Technology (NIST) engineer who wrote the password complexity requirement said the 2003 standards had failed in practice. With multiple devices, accounts and websites, the average user has somewhere around 27 discrete passwords to remember.

KnowBe4 encourages companies to test their password enforcement with a free tool to find out how exposed their users are with its Weak Password Test. Additionally, businesses that invest in new-school security awareness training can turn their end users into a human firewall that can identify and prevent a breach regardless of password policies.

You can get the test here:

About KnowBe4
KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 12,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO Fraud and other social engineering tactics through a new school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s trainings based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.

Number 139 on the 2016 Inc 500 list, #50 on 2016 Deloitte’s Technology Fast 500 and #6 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is based in Tampa Bay, Florida. For more information, visit and follow Stu on Twitter at @StuAllard

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Kathy Wattman
+1 727-474-9950
Email >

Jennifer Jewett