A Hacker’s Dream: Half of IT Admins Reuse Passwords Across Multiple Accounts


The most recent report from Ponemon shows how IT’s lack of password management is wildly misaligned with the organizations supposed concern for protecting data.

Cybercriminals intent on gaining internal access usually only have a single compromised account from which to attempt lateral movement. But, according to Ponemon’s 2019 State of Password and Authentication Security Behaviors Report, extremely poor password management habits by those in IT are making a hacker’s job much easier.

Despite nearly half of the over 1,300 IT pros surveyed stating that their companies are concerned about protecting either company or employee information, IT admins aren’t acting like it’s truly important.

According to the report, 51% reuse the same password across an average of five business and/or personal accounts. This means multiple privileged accounts within the organization use the same password, simplifying the hacker’s job of compromising additional credentials.

This data echoes the LastPass’s 2018 findings where 50% of users use the same passwords for work and personal accounts.

This risk behavior on the part of IT admins has to make organizations wonder if proper security policy is in place to ensure users don’t follow suit. According to the Ponemon report 31% of organizations don’t have a password policy in place. This only elevates the level of risk when considering cyberattacks focused on compromising credentials in order to gain a foothold and move laterally across the organization.

Whether a password policy is in place or not, organizations need to create a security culture where users are aware of how reusing passwords puts adds risk to the organization. Using Security Awareness Training, users can be taught both why password uniqueness, complexity, and safeguarding are important, helping to move the organization towards a security culture.

How weak are your user’s passwords?

Weak Password Test

KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. WPT tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.

Here's how Weak Password Test works:

  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!

This will take you 5 minutes and may give you some insights you never expected!

Find Out Now

Don't like to click on redirected buttons? Click here or cut & paste this link in your browser: 


Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews