Two thirds of companies don’t change passwords, survey shows

Cybersecurity, News

A new study revealed that many businesses are leaving themselves vulnerable to cyberattacks because employees don’t change their passwords. 

A study of 1,247 workplaces by cybersecurity experts, found that two-thirds of businesses (66%) leave themselves at risk of cyberattacks due to their lack of having (or enforcing) password rotation policies.

Of the companies that do have password rotation policies in place, 45% of employees confess that they didn’t know these policies actually existed.

A staggering 57% who did know about their company’s password protection policies revealed they do not adhere to them by regularly changing their password, and of those who do adhere, 63% will simply use the same passwords on rotation.

For the companies without password rotation policies, only 7% of employees bother to regularly rotate or change their passwords.

  • Two in three companies risk cyberattacks as a result of not having password rotation policies in place
  • 63% of employees admit to using the same passwords on rotation

The main reasons workers cited for not changing their passwords were: they are worried they will forget their password (57%), regularly changing passwords is annoying (48%) and they don’t see the point (45%). 

Surprisingly, the research also found that managers and C-suite staff were more likely to ignore password rotation policies (38%), with entry-level employees not far behind (34%).

The types of businesses leaving themselves most vulnerable to cyberattacks by not regularly rotating passwords are accountancy and finance (34%), construction (31%) and education (26%).

Says David Janssen, security researcher and founder at

“Password rotation is such a simple policy that both businesses and employees can put in place to safeguard and protect their work. Changing your password every 2-3 months is a really effective way to deter cyberattacks, and although yes, some may find it frustrating, it could save a lot of heartache down the line.

“It was shocking to see that so many workers didn’t realise what the point in regularly changing their password is, and it’s clear from our research that companies and employees alike need to be educated on the importance of implementing policies such as these.”


Chris Price
For latest tech stories go to