TL;DR: Weak, reused, and shared passwords still account for more than 80% of breaches, and the article argues that partial password manager deployment leaves credentials unmanaged across browsers, spreadsheets, shadow IT, and offboarding gaps, according to Bitwarden. Full coverage matters because credentials remain the control plane for everything else.
At a glance
What this is: This is a Bitwarden analysis arguing that partial password manager deployment leaves the workforce credential layer exposed and undermines other security controls.
Why it matters: It matters because IAM, PAM, and security teams cannot treat SSO, endpoint protection, or cloud controls as complete if credentials are still stored and shared outside managed workflows.
By the numbers:
- Weak, reused, and shared passwords account for more than 80% of breaches.
- Between 34% and 66% of business applications aren’t covered by SSO.
👉 Read Bitwarden's analysis of full password manager deployment and credential coverage
Context
Password manager deployment is not just an end-user convenience issue. It is an identity governance issue because the organisation can have strong perimeter controls and still fail at the point where users create, store, and share credentials. When passwords live in browsers, spreadsheets, chat threads, or sticky notes, IAM loses visibility into the credential layer that every other security control depends on.
The article frames partial rollout as a structural blind spot for NHI and human identity governance alike. SSO reduces the number of passwords users type, but it does not cover the full application estate, and unmanaged credentials can outlive onboarding, offboarding, and certification processes. That makes password coverage a programme design question, not a tooling preference.
Key questions
Q: How should security teams handle password management when SSO is already in place?
A: They should treat SSO and password management as complementary controls. SSO covers federated applications, but many business apps still require direct credentials. A password manager governs that long tail by generating unique secrets, centralising storage, and improving revocation when users change roles or leave.
Q: Why do unmanaged passwords still create risk in mature IAM programmes?
A: Because password risk is not eliminated by other controls if users still store or reuse credentials outside managed workflows. Browsers, spreadsheets, and shared notes create hidden copies of access secrets, which weakens auditability and makes offboarding incomplete.
Q: What breaks when password manager deployment is only partial?
A: Visibility breaks first, then revocation and compliance follow. Partial deployment creates mixed practices across teams, so security leaders cannot tell where credentials live or whether former users still have access. That leaves audit trails incomplete and increases the chance of shadow IT.
Q: What should teams do before deciding that SSO coverage is enough?
A: They should map the applications that sit outside SSO and quantify how many credentials still depend on local logons. If a meaningful share of the estate bypasses federation, password management remains necessary for governance, offboarding, and secure sharing.
Technical breakdown
Why partial password manager rollout creates credential sprawl
Password managers centralise credential generation, storage, and sharing, but only if deployment reaches the full user population. When rollout is partial, employees keep fallback habits such as browser storage, local notes, and informal sharing, which reintroduce weak and reused passwords into the environment. The result is credential sprawl: multiple unmanaged copies of the same access secret spread across endpoints and collaboration tools. That weakens auditability, increases the chance of reuse, and makes revocation less reliable because IT no longer has a complete inventory of where credentials live.
Practical implication: treat incomplete deployment as a control failure, not a pilot phase, and measure unmanaged credential locations as a governance metric.
Why SSO does not remove the need for password management
SSO reduces password exposure for federated applications, but many business applications still sit outside that boundary. The article cites a long tail of non-SSO apps, which means users will continue to authenticate directly in many places. That creates a mixed authentication estate in which some access flows are centrally governed and others are not. Password management fills that gap by securing direct-logon applications, supporting unique credential generation, and maintaining coverage where federation is unavailable or impractical. In other words, SSO improves access convenience, but password management still governs the credential reality.
Practical implication: map which applications bypass SSO and make password manager coverage a requirement for those non-federated systems.
How offboarding breaks when credentials are not centrally managed
Offboarding depends on knowing where credentials exist and who can still use them. If passwords are stored informally or shared outside sanctioned workflows, access revocation becomes partial and delayed. Former employees, contractors, or temporary staff may retain live credentials even after HR and IT believe access has ended. Centralised password management improves de-provisioning because the organisation can remove stored access, rotate shared secrets, and cut off access paths in a single workflow. Without that central record, offboarding becomes a search problem instead of a control process.
Practical implication: integrate password vault de-provisioning with leaver workflows so access removal is tied to identity lifecycle events.
NHI Mgmt Group analysis
Partial password manager deployment creates credential governance debt: The article’s central point is that a password programme only works when it covers the whole workforce, not a subset of enthusiastic users. Partial adoption leaves unmanaged credentials in browsers, notes, and shadow workflows, which means the organisation carries hidden access state it cannot reliably audit or revoke. The practitioner implication is that credential management must be treated as a universal control surface, not an optional productivity tool.
SSO coverage is not the same as credential coverage: The article highlights the structural gap between federated applications and the long tail of direct-logon systems. That distinction matters because an IAM programme can look mature on paper while leaving a large fraction of applications outside central governance. The implication is that teams should measure credential control by application coverage, not by whether SSO has been deployed.
Offboarding is only as strong as credential inventory: When credentials are scattered across user-managed locations, leaver processes cannot guarantee access removal. This is a lifecycle governance problem, not just an IT hygiene issue, because the failure is in the organisation’s ability to account for every active secret. The implication is that access governance for humans still depends on reliable credential centralisation.
Credential management is the control that makes other security investments effective: Endpoint security, cloud security, threat detection, and email filtering all assume that the credential layer is governed. If passwords remain weak, reused, and shared, those controls operate against a compromised identity substrate. The implication is that identity teams should position password management as a foundational control in the broader IAM and security architecture, not as an isolated utility.
From our research:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to our Ultimate Guide to NHIs.
- For a broader governance view, The State of Non-Human Identity Security shows that only 1.5 out of 10 organisations are highly confident in securing NHIs.
What this signals
Partial password manager deployment is a governance problem because it leaves identity evidence scattered across user-controlled storage. In practice, that means the next audit, offboarding event, or access dispute may rely on incomplete records rather than a controlled credential inventory.
Credential coverage debt: this is the gap between the passwords an organisation believes it governs and the passwords users actually manage themselves. Once that gap exists, IAM teams inherit hidden risk across the whole application estate, including systems outside SSO and credentials living in unmanaged channels.
The broader signal is that identity teams should stop measuring success by licence purchase counts and start measuring it by enforced coverage. A strong deployment model, paired with lifecycle-linked revocation, is what turns password management from a convenience layer into a control boundary.
For practitioners
- Measure unmanaged credential coverage across the workforce Inventory where employees still store or share passwords outside the sanctioned password manager, including browsers, spreadsheets, chat, and local notes. Use the result as a deployment KPI and target the highest-risk groups first. Suggested anchor: unmanaged credential coverage.
- Extend password manager rollout to every application path Identify business applications that do not support SSO and require password manager enrollment for those direct-logon systems. Prioritise applications with customer data, finance functions, admin access, and shared team accounts.
- Tie offboarding to credential revocation workflows Connect leaver events to vault de-provisioning, shared secret rotation, and access removal so former staff do not retain live credentials after employment ends. Test the process for contractors and temporary workers as well as full-time employees.
- Eliminate shared logins from informal channels Move team credentials out of email, chat threads, and ad hoc spreadsheets into centrally managed sharing controls with audit trails. This reduces blind spots and gives IAM teams a durable record of who can reach each account.
Key takeaways
- Partial password manager rollout leaves the most important security layer, credentials, partially governed and therefore partially trusted.
- The article shows that SSO alone does not cover the full application estate, so direct-logon applications still need managed credential controls.
- Offboarding, auditability, and breach reduction all improve when password management is deployed as a universal identity control rather than a selective tool.
Key terms
- Credential Coverage: Credential coverage is the share of user-facing applications and accounts that are managed through a sanctioned control such as a password manager or federated login. High coverage means fewer hidden credentials, stronger auditability, and cleaner revocation during offboarding or access review cycles.
- Credential Sprawl: Credential sprawl is the uncontrolled spread of passwords and shared secrets across browsers, notes, spreadsheets, chat tools, and other user-managed locations. It reduces visibility, weakens revocation, and creates multiple copies of the same access path outside identity governance.
- Offboarding Revocation: Offboarding revocation is the process of removing a departing user’s access and invalidating any stored credentials they can still use. In mature identity programmes, it includes vault de-provisioning, secret rotation, and confirmation that no informal credential copies remain active.
- SSO Gap: An SSO gap is any application or workflow that still requires direct credentials even though the organisation has deployed single sign-on elsewhere. These gaps matter because they create unmanaged access paths that must still be governed, audited, and revoked.
What's in the full article
Bitwarden's full article covers the operational detail this post intentionally leaves for the source:
- Deployment guidance for rolling password manager coverage across all employees, not just high-risk teams
- Examples of how to reduce unmanaged logins stored in browsers and informal collaboration tools
- Offboarding workflow detail for removing access and rotating shared credentials after leaver events
- Practical coverage guidance for applications that do not support SSO
Deepen your knowledge
NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing an IAM programme, it is worth exploring.
Published by the NHIMG editorial team on 2025-10-07.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org