Users don’t bother changing default passwords

Most people working with sensitive information want stricter security policies but rarely bother changing default, automatically generated and assigned passwords.

To collect the responses, ElcomSoft was running a questionnaire during the last few months. After gathering a statistically significant sample, the company discovered interesting information about its customers’ habits and preferences in regards to IT security.

Less than 50% of all respondents come from Computer Law, Educational, Financial, Forensics, Government, Military and Scientific organizations.

Less than 30% of respondents indicated they have never forgotten a password. Most frequently quoted reasons for losing a password to a resource would be infrequent use of a resource (28%), not writing it down (16%), returning from a vacation (13%).

Only about 25% of all respondents indicated they change their passwords regularly. The rest will either change their passwords infrequently (24%), sporadically or almost never.

The quiz revealed a serious issue with how most respondents handle default passwords (passwords that are automatically generated or assigned to their accounts by system administrators). Only 28% of respondents would always change the default password, while more than 50% would usually keep the assigned one. This information should really raise an alert with IT security staff and call for a password security audit.

Unsurprisingly for a sample with given background, most respondents weren’t happy about their organizations’ security policies, being in either full or partial disagreement with their employer’s current policy (61%). 76% of all respondents indicated they wanted a stricter security policy, while 24% would want a looser one.

The surprising part is that of those who are content with their employers’ security policies, only 11% would leave it as it is, 20% would vote for a looser policy, and 69% would rather have a stricter security policy.