50 per cent of users, including employees, are still using simple passwords that can be easily guessed, according to Trustwave's global security report.
It claims "password1" is the most common choice for users.
As for why this is the case, Trustwave managing consultant, Marc Bown, said it comes down to education.
"Everyone in IT security has talked about education about passwords," he said.
"However, the feedback has been that even if someone is told to have a good password a hundred times, they still won't do it."
The problem is that only telling people to have a good password is not enough.
"They have to be told why they need to have a good password, because most users don't understand," Bown said.
The majority of users do not think passwords are a "big deal" and do not look at the "big picture to make a risk assessment" on how important their password is.
Thus, Bown said the key is to educate them on why they need a good password, as well as how to get one.
"Most people complain about changing their password and not being able to remember it, because it needs to be a stupid combination of numbers and letters," he said.
"What we know as an industry is that it doesn't need to be a stupid combination of numbers and letters, as that does not really slow down an attacker much."
Instead, it is really about the length of the password, so Bown said the most important thing a user can do is to pick a longer password.
"Teaching users how to pick a longer password and how to remember it, such as a sentence, is a thing that we can do," he said.
Another thing that has become relevant with passwords in the last year is password re-use.
With the proliferation of online services, Bown said most users will use the same password everywhere, such as their login for work, for blogs or social networks.
"As more and more sites become compromised, there are massive username and password lists that are sourced from those compromises and available on the Internet," he said.
For that reason, Bown said it is important for people not to use the same passwords on services that could become compromised, thereby disclosing their password.
"People are looking at those password lists and using them to crack into other services to target individuals," he said.
Other key findings in the report included an average of 210 days taking from the time of a security compromise to the time of detection.
"It's a really long time and an attacker can do a lot in that period, because they're not being detected," Bown said.
Sign up for Computerworld eNewsletters.