TL;DR: 451 Research found that 86% of enterprises expected to increase security budgets, while 93% were maintaining or increasing password management budgets and 76% had deployed or planned deployment because of work-from-home concerns. The data shows password controls are still being treated as a necessary response to hybrid work, but policy confidence, audit gaps, and risky user groups remain out of step with actual exposure.
At a glance
What this is: This is a Bitwarden summary of 451 Research findings showing that enterprise password management investment is rising, but policy, auditing, and user behaviour still leave meaningful exposure.
Why it matters: It matters because password governance remains a core control surface for human identity, third-party access, and downstream NHI and workflow risk in hybrid enterprises.
By the numbers:
- 86% of enterprises expected to increase their annual security budgets.
- 93% of enterprise respondents said they were maintaining or increasing their password management budgets.
- 56% of respondents said that password resets and password management make up between 20-60% of all helpdesk requests.
👉 Read Bitwarden's summary of 451 Research findings on enterprise password management
Context
Password management is still a governance problem, not just a user convenience issue. In hybrid enterprises, people hold multiple accounts across collaboration, finance, CRM, email, and supply chain systems, which expands the number of places where weak reuse or poor resets can turn into compromise. This article uses 451 Research survey data to show that organisations are funding the control, but not always closing the behaviour and audit gaps that make it effective.
The identity lesson is broader than passwords alone. When third parties, remote personnel, and internal staff all use the same account estate, the weakest human access pattern can become the easiest path into business systems and adjacent machine-driven workflows. That makes password governance part of IAM, not a standalone helpdesk issue.
Key questions
Q: How should organisations govern password risk across hybrid workforces?
A: Start with the accounts that create the highest exposure, especially third parties and remote personnel, then enforce reuse checks, stronger authentication, and tighter reset controls. Password governance works when it is tied to risk, visibility, and user experience. If teams only publish policy, the weakest users will still work around it.
Q: Why do password policies fail even when teams believe they are sufficient?
A: They fail when policy exists without evidence of enforcement. If organisations do not audit for reuse, strength, or exception handling, the control is more aspirational than operational. Confidence in policy can coexist with weak real-world behaviour, which is why measurement matters as much as the written standard.
Q: How can security teams tell whether password management is actually improving?
A: Look for fewer avoidable resets, stronger SSO coverage, and better compliance among the riskiest user groups. If helpdesk demand stays high and audit coverage remains low, the programme is still absorbing identity friction rather than reducing it. Improvement shows up in lower recovery volume and better control consistency.
Q: Who should get the strictest password controls first?
A: Third parties and remote personnel should usually be first in line because they combine higher access risk with weaker organisational visibility. Then extend the same discipline to any account that touches finance, supply chain, or other sensitive business systems. Risk-based prioritisation beats blanket rollout.
Technical breakdown
Why password policies fail without behavioural enforcement
Password policy is a written rule set, but actual protection depends on whether users follow it under real working pressure. The article highlights a common gap: many respondents believed policies were sufficient even while a large share did not audit for reuse or strength. That mismatch matters because reuse, predictable resets, and weak enforcement turn policy into an administrative statement rather than a control. In hybrid work, the number of accounts and the number of access contexts both rise, so policy has to be paired with visibility, enforcement, and user-friendly tooling.
Practical implication: treat password policy as a control that must be measured for compliance, not merely published.
Why SSO and MFA reduce risk but do not remove it
Single sign-on and multifactor authentication reduce credential sprawl, but they do not eliminate password dependence. The article shows that many organisations still have only partial SSO coverage, which means passwords remain active across a significant portion of the application estate. MFA also protects the authentication event, not the broader lifecycle problems around sharing, reuse, reset fatigue, and third-party access. In practice, SSO and MFA work best when they are part of a larger access architecture that also includes lifecycle governance and usage monitoring.
Practical implication: measure how much of the app estate still depends on passwords outside SSO and MFA coverage.
How helpdesk pressure signals weak identity hygiene
High volumes of password resets are often a symptom of brittle identity operations. When reset requests consume a large share of helpdesk traffic, it suggests users cannot reliably manage credentials, systems are too fragmented, or both. That creates security drag because the helpdesk becomes a recovery path for routine access issues and a potential exploitation point for social engineering. The operational problem is not simply cost. It is that excessive password recovery activity often reveals weak identity design, poor user experience, and inconsistent access standards across the enterprise.
Practical implication: use reset volume as a governance signal and review whether access design is forcing avoidable recovery events.
NHI Mgmt Group analysis
Password management is still a human identity governance problem disguised as a tool category. The article shows that organisations are funding password controls, yet audit gaps and user behaviour remain unresolved. The issue is not whether people have passwords. It is whether the enterprise can consistently govern reuse, reset behaviour, and risky access patterns across a fragmented application estate. Practitioners should treat password management as part of IAM lifecycle control, not as a standalone utility purchase.
Policy confidence is not the same as control effectiveness. A large share of respondents believed password policies were sufficient even while many did not audit for strength or reuse. That is a classic governance blind spot: the policy exists, but the evidence of enforcement does not. The practical conclusion is that security teams need observable control performance, not just written standards, especially when third parties and remote personnel are part of the access population.
High password-reset volume is a sign of identity process debt. When password resets consume a meaningful share of helpdesk demand, the enterprise is paying operational tax for weak identity design. That tax usually comes from too many accounts, inconsistent user experience, and recovery paths that are easier to abuse than to secure. The practitioner takeaway is to reduce the number of recoverable states before trying to optimise the helpdesk.
Hybrid access expands the blast radius of poor password governance across humans and machines. Once people authenticate into finance, CRM, collaboration, and supply-chain systems from dispersed locations, any weak credential practice can become the starting point for broader lateral movement. The same account estate often feeds downstream automation and shared services, so human password hygiene indirectly shapes NHI risk as well. Security teams should therefore align password governance with the full access chain, not just the login screen.
From our research:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
- That fragmentation is why Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs remains relevant when password and secrets governance start to overlap.
What this signals
Password governance will keep expanding into adjacent identity surfaces. As more access is mediated through SSO, MFA, and shared application estates, teams will need to treat password hygiene as one input into a wider identity control model. The next step is to connect access reviews, recovery flows, and third-party governance so the programme measures behaviour instead of assuming it.
A useful planning signal is the gap between control deployment and actual user practice. When a programme can report policy, but not reuse enforcement or application coverage, it has not yet earned confidence in its own password controls.
The longer-term shift is toward consolidating access paths and reducing recoverable credential states. That is where password management starts to converge with broader IAM and lifecycle governance, including the controls described in The 52 NHI breaches Report.
For practitioners
- Audit password reuse and strength enforcement Review whether password policies are actually enforced across high-risk applications and third-party accounts. If you are not checking reuse, strength, and exceptions, you are measuring policy intent rather than control performance.
- Map SSO coverage against the full application estate Identify what percentage of business applications still depend on direct passwords outside SSO coverage, then prioritise the highest-risk apps first. Partial SSO coverage leaves the longest-lived credential paths in place.
- Reduce password reset dependency in helpdesk operations Treat reset volume as a signal of identity friction and simplify the flows that drive avoidable recovery requests. Excessive resets often indicate poor user experience, inconsistent controls, or both.
- Prioritise risky user groups for stronger controls Apply the most stringent password and access controls to third parties and remote personnel first, because they are consistently identified as higher risk. Make the control model commensurate with exposure, not organisational convenience.
Key takeaways
- Enterprise password management is being funded, but funding alone does not close the gap between policy intent and real user behaviour.
- Hybrid work increases the number of accounts and recovery paths that must be governed, which makes visibility and enforcement more important than policy statements.
- The practical answer is to focus on risky users, SSO coverage, and reset volume as control signals rather than treating password tools as a standalone fix.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Password and access governance map directly to identity and authentication management. |
| NIST SP 800-63 | The article concerns enterprise authentication and federated access practices. | |
| NIST Zero Trust (SP 800-207) | PR.AC-4 | Partial SSO and risky access groups are zero trust access problems. |
Verify authentication controls and password policies are enforced across all high-risk accounts.
Key terms
- Password Management: Password management is the set of controls, tools, and operating practices used to create, store, share, reset, and monitor credentials across an organisation. In enterprise identity programmes, it is only effective when policy, user experience, and enforcement work together across high-risk accounts.
- Single Sign-On: Single sign-on is an authentication pattern that lets a user access multiple applications after one successful login. It reduces password sprawl and login friction, but it does not remove the need to govern the remaining non-SSO applications, recovery processes, and privileged access paths.
- Password Reuse: Password reuse occurs when the same or similar credential is used across more than one account or service. It materially increases the chance that one compromised login can be leveraged elsewhere, which is why audit, enforcement, and user behaviour monitoring matter as much as policy language.
What's in the full report
Bitwarden's full article covers the operational detail this post intentionally leaves for the source:
- Survey methodology and the respondent mix across the United States, United Kingdom, Japan, and Australia
- Breakdowns of why security decision makers prioritised password managers, including anti-fraud and credential-theft prevention
- Detailed results on SSO coverage, MFA familiarity, and helpdesk burden from password resets
- Deployment preference patterns for personal and business password management use cases
👉 Bitwarden's full article includes the survey breakdown, adoption patterns, and helpdesk impact data.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
Published by the NHIMG editorial team on 2025-12-18.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org