75% of users reuse passwords across different accounts – this is up from 56% in 2014!


We’ve always known users are the weakest link in your security chain, but new report data from SailPoint shows just how bad users are behaving in 2018 – and how it affects security.

It’s an on-going battle: IT works to establish a secure working environment for users, and users look for ways to circumvent security, process, and protocol in an effort to work productively. The latest data from SailPoint’s 2018 Market Pulse Survey shows users are working harder than ever to not make the organization safer:

  • 75% of users reuse passwords across different accounts – this is up from 56% in 2014!
  • 56% use the same password across personal and work accounts
  • 23% change their password two or fewer times a year
  • 15% would consider selling (yes, selling!) their workplace credentials to a third party

These stats point to a very real danger that exists. Cybercriminals use social engineering and phishing attacks to harvest credentials from individuals and use automated tools to test out those credentials on web-based services like Office 365. And with users using the same, unchanged, passwords across multiple systems, applications, and services, a single credential can be the master key to a multitude of business applications.

So, how do you stop this from becoming a problem in your organization?

  • Implement Password Policies – for every system, application, and service providing its own credentials, look for ways to implement the required changing of passwords, at a minimum.
  • Use Multi-Factor Authentication – The addition of factors beyond just a password (e.g. passcode token, 3rd-party verification, security questions, etc.) for systems housing sensitive data makes it impossible for cybercriminals to gain access with only a password.
  • Implement Security Awareness Training – The problem outlined above is a culture issue; users don’t see a problem with their risk-inducing password habit because organizations aren’t telling them it’s a problem. By implementing Security Awareness Training, users get educated on the realities of cyber threats, the risk they themselves can create, good cybersecurity habits, and how to spot attacks without becoming a victim.

The SailPoint data paints an all-too-real picture of what many organizations look like today. Consider taking steps to rectify both the culture and technical challenges bad user habits have created… before they impact the organization.

How vulnerable is your network to hacked user passwords?

Breached Password TestAs you saw above, A whopping 56% use the same password across personal and work accounts

What if that password is available on the dark web? A massive amount of passwords are compromised due to data breaches and used by the bad guys for attacks. Are any hacked passwords in use within your organization?

Using breached passwords puts your network at risk. Password policies often do not prevent employees using known bad passwords. Making your users frequently change their passwords isn’t a good solution either. It only takes one compromised password match for the bad guys to gain access.

KnowBe4’s free NEW Breached Password Test (BPT) checks to see if your users are currently using passwords that are in publicly available breaches associated with your domain. BPT checks against your Active Directory and reports compromised passwords in use right now so that you can take action immediately!

Here's how Breached Password Test works:

checkmark Checks to see if your company domains have been part of a data breach that included passwords

checkmark Checks to see if any of those breached passwords are currently in use in your Active Directory

checkmark Does not show/report on the actual passwords of accounts

checkmark  Just download the install and run it

checkmark  Results in a few minutes!

Find out now which users are using hacked passwords!

Check Passwords


Requirements: Active Directory, Windows 7 or higher (32 or 64bit) NOTE: the analysis is done on the workstation you install BPT on, no confidential data leaves your network, and actual passwords are never disclosed.

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews