KnowBe4 Study: Survey of 2600 IT Professionals Shows Password Procedures Still = Security Fail

KnowBe4, provider of the world’s most popular security awareness training and simulated phishing platform, surveyed 2,600 IT professionals to find out how they were managing passwords in light of the new changes proposed by the United States National Institute for Standards and Technology (NIST). Their findings show that businesses were open to the proposed pass phrase concept suggested by NIST.

NIST Special Publication 800-63B, “Digital Identity Guidelines,” states in that “Many attacks associated with the use of passwords are not affected by password complexity and length. Keystroke logging, phishing, and social engineering attacks are equally effective on lengthy, complex passwords as simple ones.” This means that password complexity has failed in practice. Verizon's latest Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords, supporting the NIST conclusion.Password_Policy_Sufficient.png

KnowBe4 surveyed 2,600 IT professionals to further examine how organizations are managing passwords and determine how the proposed pass phrase concept stacks up against methods currently in use.

KnowBe4’s survey showed that 44% of respondents overall, (large organizations with 1,000+ employees and small to mid-size businesses), think a roughly 25-character pass phrase could work versus 35% who don’t believe it to be a viable option for their organization. Other highlights from the survey include:

  • Nearly 97% of large organizations have an enforced password policy compared to almost 88% in small to mid-size organizations.
  • A majority (63%) of organizations do not allow password re-use, however this does not prevent employees from using the same password on multiple sites.
  • Almost half (49%) of large organizations believe their current password policy is insufficient, while 48% of small to mid-size organizations believe their password policy is good enough.
  • Enterprise-size organizations (1,000+ users) prefer multi-factor authentication (MFA) with only 38 % stating they do not use it, compared with 62 percent in Small and Medium organizations not using MFA.

“Passwords are a known weakness in corporate security and have come under more intense scrutiny recently. Most organizations have password enforcement in place, but most aren’t taking it seriously enough by not enforcing policies beyond the normal number and letter character minimum and not requiring multi-factor authentication,” said Stu Sjouwerman, CEO of KnowBe4. “It is well-known that employees are the weakest link in security and that includes password usage. IT can’t expect employees to put password policies in place on their own. It’s an effort that IT must lead.”

Bill Burr, former NIST (National Institute of Standards and Technology (NIST) engineer who wrote the password complexity requirement said the 2003 standards had failed in practice. With multiple devices, accounts and websites, the average user has somewhere around 27 discrete passwords to remember.

KnowBe4 encourages companies to test their password enforcement with a free tool to find out how exposed their users are with its Weak Password Test.

You can get the test here:

About KnowBe4

KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 12,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO Fraud and other social engineering tactics through a new school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert and KnowBe4’s Chief Hacking Officer, helped design KnowBe4’s trainings based on his well-documented social engineering tactics. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.

Number 139 on the 2016 Inc 500 list, #50 on 2016 Deloitte’s Technology Fast 500 and #6 in Cybersecurity Ventures Cybersecurity 500. KnowBe4 is based in Tampa Bay, Florida. For more information, visit and follow Stu on Twitter at @StuAllard.


Return To KnowBe4 Press Releases

Get the latest about social engineering

Subscribe to CyberheistNews