Most people working with sensitive information want stricter security policies but rarely bother changing default, automatically generated and assigned passwords.


To collect the responses, ElcomSoft was running a questionnaire during the last few months. After gathering a statistically significant sample, the company discovered interesting information about its customers’ habits and preferences in regards to IT security.

Less than 50% of all respondents come from Computer Law, Educational, Financial, Forensics, Government, Military and Scientific organizations.

Less than 30% of respondents indicated they have never forgotten a password. Most frequently quoted reasons for losing a password to a resource would be infrequent use of a resource (28%), not writing it down (16%), returning from a vacation (13%).

Only about 25% of all respondents indicated they change their passwords regularly. The rest will either change their passwords infrequently (24%), sporadically or almost never.

The quiz revealed a serious issue with how most respondents handle default passwords (passwords that are automatically generated or assigned to their accounts by system administrators). Only 28% of respondents would always change the default password, while more than 50% would usually keep the assigned one. This information should really raise an alert with IT security staff and call for a password security audit.

Unsurprisingly for a sample with given background, most respondents weren’t happy about their organizations’ security policies, being in either full or partial disagreement with their employer’s current policy (61%). 76% of all respondents indicated they wanted a stricter security policy, while 24% would want a looser one.

The surprising part is that of those who are content with their employers’ security policies, only 11% would leave it as it is, 20% would vote for a looser policy, and 69% would rather have a stricter security policy.