TL;DR: Duke University tripled enrollment after migrating to a new password manager, while security teams still found groups sharing vaults, mixing personal and work accounts, and bypassing consistent password hygiene, according to 1Password. The lesson is that password security improves only when usability and governance are aligned, not when tools exist in name only.
At a glance
What this is: This is a case study about Duke University’s password manager migration, showing that adoption rose sharply when the user experience and operational rollout improved.
Why it matters: It matters because human identity programmes still fail when controls are hard to use, and the same adoption problem can undermine shared access, credential hygiene, and lifecycle governance across NHI and IAM environments.
👉 Read 1Password's case study on Duke University’s password manager migration
Context
Password management is only effective when people actually use the tool the way the programme expects. In this Duke University case, the governance problem was not the absence of a password manager, but inconsistent adoption, shared vault use, and personal accounts being mixed with work activity across a large human identity population.
That creates a familiar IAM failure mode. When security controls depend on user habit, the programme inherits variability from every team, device, and workflow. The result is uneven password hygiene, weak separation of accounts, and limited assurance that access is being created and stored in a controlled way.
Key questions
Q: How should organisations improve password manager adoption in large environments?
A: Focus on workflow fit, onboarding support, and platform consistency. Adoption improves when users can generate, store, and share credentials without friction across the devices they already use. The control should be measured by active use and behavioural change, not by software installation alone.
Q: What goes wrong when teams share a single password vault informally?
A: Informal shared vaults weaken accountability because ownership becomes unclear and access is hard to audit. They also make offboarding and incident review more difficult, since it is not obvious who created, used, or retained each secret. The fix is explicit ownership and defined membership.
Q: Why does user experience matter in credential governance?
A: User experience matters because people work around controls that are slow or awkward. If the approved workflow is harder than storing secrets personally, users will drift to unsafe habits. A secure programme has to make the governed path the easiest path.
Q: How can identity teams tell whether password controls are actually working?
A: Look for reduced password reuse, higher managed-account adoption, fewer shared-vault exceptions, and clearer separation between personal and organisational credentials. If those signals do not move, the programme may exist on paper without changing behaviour.
Technical breakdown
Why password manager adoption fails in large identity estates
Password managers reduce credential reuse by generating and storing unique secrets, but their security value depends on consistent behavioural adoption. In large institutions, users often default back to personal storage, browser prompts, or shared accounts when the workflow feels cumbersome. That creates a governance gap between policy intent and actual practice. The technical issue is not the vault itself. It is whether the identity process is embedded into daily work across devices, teams, and operating systems. Without that consistency, the organisation gets partial protection and a false sense of control.
Practical implication: measure real usage patterns, not licence deployment, before claiming password governance is working.
Shared vaults and mixed accounts undermine access separation
A shared vault can support collaboration, but only when ownership, scope, and membership are tightly defined. When multiple groups log into the same account or mix personal and organisational data, the environment loses audit clarity and accountability. That makes it harder to prove who created a secret, who used it, and whether the credential belongs to a person, a team, or an operational function. In identity terms, the organisation is collapsing multiple trust boundaries into one place. That is a governance failure, not just a hygiene issue.
Practical implication: separate shared access from personal use and require clear ownership for every vault and credential.
Cross-platform consistency is part of password security
Password security programmes often fail when they assume one device model or one user experience. Duke’s mixed Mac, Windows, and Linux environment shows why cross-platform support matters operationally. If the experience differs by platform, adoption fractures and users find workarounds. That introduces risk through unmanaged storage, manual copying, and informal sharing. Strong UX is not a cosmetic layer here. It is a control surface that determines whether the organisation can standardise password generation, storage, and reuse prevention across the estate.
Practical implication: test the control on every major endpoint type before rolling it out at scale.
NHI Mgmt Group analysis
Password governance fails when the control is easier to bypass than to use. Duke’s experience shows that a password manager can exist without producing meaningful security if users continue to store secrets in personal accounts or share vaults informally. That is not a tooling problem alone. It is a governance design problem in which the programme assumes adoption will happen automatically. The implication is that identity teams must treat usability as a control dependency, not an afterthought.
Shared credentials create accountability collapse, even in well-run institutions. When at least five groups are logging into the same account and using one vault, the organisation loses a clean chain of ownership. That weakens auditability, incident investigation, and offboarding discipline because access cannot be tied cleanly to a single identity or team. The implication is that shared access needs explicit governance, not informal convenience.
Human IAM controls only work when the operating environment is standardised enough to support them. Duke’s multi-platform user base shows why password programmes fail when they are designed for one device pattern but deployed across many. If the tool behaves differently on Mac, Windows, and Linux, users will drift toward the path of least friction. The implication is that security architecture has to account for actual workflow diversity, not idealised user behaviour.
Adoption metrics are the real security metric for credential hygiene programmes. The report’s enrollment growth matters because it indicates that people actually moved into the managed workflow rather than merely being assigned a product. That distinction separates paper compliance from operational control. The implication is that programme owners should track usage, shared-vault reduction, and account separation as core governance outcomes.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means credential governance failures often persist unnoticed across the identity estate.
- For a deeper view of how lifecycle gaps drive exposure, see NHI Lifecycle Management Guide for lifecycle controls that reduce secret sprawl and offboarding drift.
What this signals
Password manager adoption is a governance signal, not a software metric. When users keep bypassing the managed workflow, the real risk is not password complexity, but the organisation’s inability to convert policy into repeatable behaviour. That is why identity teams should watch adoption, vault separation, and account hygiene together rather than treating them as separate workstreams.
The larger signal is that user experience now functions as a control boundary in human IAM. If the control is not easy enough to sustain across mixed platforms and local team habits, it will be bypassed even when it is formally approved.
For practitioners, the next step is to connect usability testing with lifecycle governance. Password management, access review, and offboarding all become stronger when the system gives users a clear, standard path and removes incentives to improvise.
For practitioners
- Measure adoption, not just deployment Track active use, vault participation, and migration completion by team so the programme reflects real credential handling rather than licence counts.
- Eliminate informal shared-account patterns Require each team vault to have named ownership, defined membership, and a clear purpose so shared access does not blur accountability.
- Test the workflow across every endpoint class Validate the password manager experience on Mac, Windows, and Linux before scale-up so platform friction does not drive shadow workarounds.
Key takeaways
- Duke’s experience shows that a password manager only improves security when adoption is high and workflows are consistent across the organisation.
- Shared vaults and mixed personal-work usage weaken auditability, accountability, and offboarding quality, even when a managed tool is in place.
- The practical control is not just deployment but behavioural compliance, because password governance fails when users can easily route around it.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | Password workflow adoption affects authentication and access control outcomes. |
| NIST SP 800-63 | Human authentication practice depends on usable, consistent credential handling. | |
| NIST Zero Trust (SP 800-207) | Password hygiene supports least-privilege and continuous verification goals. |
Map password manager rollout to access-control outcomes and verify users follow the governed workflow.
Key terms
- Password Manager Adoption: The degree to which people actually use an approved password management tool in their daily work. Adoption matters because security value comes from consistent behaviour, not from licence assignment. If users keep storing credentials elsewhere, the organisation still carries reuse, sharing, and recovery risk.
- Shared Vault: A shared vault is a controlled repository used by multiple people or teams to store credentials, secrets, or access material. It can support collaboration, but it also creates accountability risk if ownership, membership, and purpose are not clearly defined and reviewed.
- Credential Hygiene: Credential hygiene is the discipline of creating, storing, using, and separating passwords and secrets in a controlled way. It includes avoiding reuse, keeping work and personal accounts separate, and making the governed path easy enough that people do not work around it.
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or programme maturity, it is worth exploring.
This post draws on content published by 1Password: Duke University's password manager migration and adoption story. Read the original.
Published by the NHIMG editorial team on 2025-08-01.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
