ElcomSoft Discovers Most of Its Customers Want Stricter Security Policies but Won’t Bother Changing Default Passwords

February 22nd, 2012 by Olga Koksharova

We runned yet another Password Usage Bahaviour survey on our Web site and gthered statistically significant data, reflected in the following charts. And the main conclusion was that most people working with sensitive information want stricter security policies but rarely bother changing default passwords.

Less than 50% of all respondents come from Computer Law, Educational, Financial, Forensics, Government, Military and Scientific organizations. The larger half of respondents comes from ‘Other’ type of organizations.

Less than 30% of respondents indicated they have never forgotten a password. Most frequently quoted reasons for losing a password to a resource would be infrequent use of a resource (28%), not writing it down (16%), returning from a vacation (13%).

Only about 25% of all respondents indicated they change their passwords regularly. The rest will either change their passwords infrequently (24%), sporadically or almost never.

The quiz revealed a serious issue with how most respondents handle default passwords (passwords that are automatically generated or assigned to their accounts by system administrators). Only 28% of respondents would always change the default password, while more than 50% would usually keep the assigned one. In ElcomSoft’s view, this information should really raise an alert with IT security staff and call for a password security audit. ElcomSoft offers a relevant tool, Proactive Password Auditor, allowing organizations performing an audit of their network account passwords.

Unsurprisingly for a sample with given background, most respondents weren’t happy about their organizations’ security policies, being in either full or partial disagreement with their employer’s current policy (61%). 76% of all respondents indicated they wanted a stricter security policy, while 24% would want a looser one. The surprising part is discovered in the next chart: of those who are fully content with their employers’ security policies, only 11% would leave it as it is, 20% would vote for a looser policy, and 69% would rather have a stricter security policy.

The complete results and charts are available at http://www.elcomsoft.com/PR/quiz-charts.pdf


Tags: , , ,

Sign up for free ElcomSoft Password Recovery Software newsletter

One Response to “ElcomSoft Discovers Most of Its Customers Want Stricter Security Policies but Won’t Bother Changing Default Passwords”

  1. Default passwords seem to be a real problem, so here is our advice. Do not use default passwords, as it’s dangerous, even if they are complex, simply because lists of such passwords are easily found in the Internet – for many different systems and applications. A really strong password should be not only long and complex, it should be unique (of course, there are many other factors such as changing the password on a regular basis; performing password/security audit etc – in other words, a good password policy).

    Default passwords are also easily checked by bots and automated scripts: they usually have built-in wordlists that always contain default passwords – to be checked first. The other ‘dictionary’ words follow; but remember the weakest link principle.

    After all, default settings are always bad. That’s not only about passwords. Another good example is SSID. With WPA/WPA2, the SSID is added to the password before hashing, so working like a ‘salt’. But for most common SSIDs (all manufacturs have their own favorite ones), effective rainbow tables can be created.

Leave a Reply