By NHI Mgmt Group Editorial TeamPublished 2026-01-26Domain: Governance & RiskSource: Bitwarden

TL;DR: Password managers are now used by 86% of organisations, yet 53% still rely on computer documents and 29% on pen and paper, while 92% of respondents continue reusing passwords across multiple sites, according to Bitwarden’s 2022 Password Decisions Survey of 400+ IT decision makers. Convenience has improved, but credential hygiene remains structurally weak.


At a glance

What this is: This survey shows password managers and 2FA have gone mainstream, but unsafe password handling and reuse remain widespread.

Why it matters: It matters because weak password practices still feed human identity risk, drive account compromise, and expose gaps in broader IAM and lifecycle governance.

By the numbers:

👉 Read Bitwarden's survey on password managers, 2FA, and password practices


Context

Password managers reduce the burden of remembering and sharing credentials, but they do not fix the underlying governance problem: people still choose convenience shortcuts when identity controls are fragmented. In human IAM terms, that leaves passwords, second factors, and sharing habits exposed to the same operational pressure that makes reuse and informal transfer persistent risks.

This survey is less about password manager adoption than about the gap between tooling and behaviour. The signal for IAM and security teams is clear: standardising a password manager helps, but credential governance still fails when employees rely on files, paper, chat, and email to move sensitive access around.


Key questions

Q: How should organisations reduce password reuse without creating user workarounds?

A: Organisations should combine a mandatory password manager, breached-password checks, and policy enforcement that blocks reuse at creation and reset time. The key is to make the secure path easier than copying passwords into files or reusing them across systems. If users can bypass the process, reuse will persist as a shadow control problem.

Q: Why do shared passwords remain a governance problem even when teams have a password manager?

A: Shared passwords remain a governance problem because a password manager stores secrets, but it does not by itself assign ownership, approval, or offboarding accountability. Once a credential is passed through email, chat, or conversation, the audit trail is weakened and lifecycle control breaks down. Ownership must be explicit for each credential and each access path.

Q: What do security teams get wrong about two-factor authentication adoption?

A: Teams often treat 2FA as a one-time rollout instead of an operational control that needs coverage, exception handling, and support. If the control feels too slow or too hard, users look for bypasses or inconsistent use. Adoption improves when the rollout is managed as a programme with reporting, not just a technical setting.

Q: How can IAM teams tell whether password governance is actually working?

A: Password governance is working when password reuse drops, credential sharing through informal channels disappears, and users stop creating ad hoc storage outside approved tools. Strong indicators include consistent manager adoption, fewer exceptions, and clear ownership for every credential in scope. If side channels still exist, the programme is not yet under control.


Technical breakdown

Why password managers reduce, but do not remove, credential risk

A password manager centralises storage, generates stronger secrets, and lowers the chance that users create their own insecure workarounds. But the control only works when adoption is broad and when sharing, recovery, and policy enforcement are designed into the operating model. If teams still export passwords to documents or circulate them through email, the manager becomes one layer in a fragmented credential workflow rather than the system of record. That is why password manager rollout is an IAM programme issue, not just a productivity tool decision.

Practical implication: treat password manager adoption as a governance standard with enforced usage, not an optional utility.

Password reuse and shared credentials create account-compromise paths

Password reuse remains a classic failure mode because one compromised credential can unlock multiple services. In practice, attackers exploit credential stuffing, phishing, and downstream reuse to move from a single stolen password to broader account access. Shared credentials make that worse because accountability disappears and offboarding becomes unclear. For identity teams, the risk is not just poor hygiene, but the absence of traceable ownership for access decisions and the inability to prove which account was used by whom and when.

Practical implication: eliminate shared credentials for sensitive workflows and map every account to a named owner and lifecycle process.

2FA helps, but user resistance still shapes the control boundary

Two-factor authentication raises the effort required for compromise, yet adoption and usability matter because controls that feel slow or hard to implement are often bypassed. The article’s numbers show that enterprises can standardise 2FA internally while still leaving gaps in user adoption and policy consistency. In IAM terms, this is a reminder that authentication strength and operational friction must be managed together. A control that is technically sound but inconsistently deployed does not materially change the attack surface.

Practical implication: pair 2FA mandates with rollout support, exception handling, and policy enforcement across all high-risk accounts.


Threat narrative

Attacker objective: The attacker aims to turn a single credential weakness into broader account compromise and operational disruption.

  1. Entry occurs when attackers obtain reused or phished passwords that grant access to multiple sites or services.
  2. Escalation follows when shared credentials, email-based password transfer, or weak secondary controls allow the compromise to spread into broader account access.
  3. Impact is account takeover, unauthorised access, and in some cases ransomware or wider organisational breach exposure.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Password manager adoption is a governance milestone, not a risk endpoint. The survey shows organisations have normalised password managers, but normalisation does not equal control maturity. When people still move credentials through documents, paper, chat, and email, the programme has standardised storage without standardising behaviour. The practitioner conclusion is that password governance must be measured by the elimination of side channels, not by licence adoption alone.

Shared credentials are a lifecycle failure disguised as convenience. Password sharing through email and chat removes accountable ownership from the access record and makes offboarding unreliable. That failure mode matters because identity governance depends on knowing who holds access, who approved it, and when it should end. The practitioner conclusion is that lifecycle control is incomplete until every credential exchange is traceable and owner-bound.

2FA adoption proves that authentication controls can scale when the operating model is clear. The survey shows 2FA is mainstream in the workplace, which means resistance is less about technical impossibility and more about inconsistent enforcement and poor rollout design. The practitioner conclusion is that strong authentication succeeds when IAM teams treat adoption as a managed programme, not a user preference.

Credential reuse is the clearest sign that human identity controls still depend on individual judgment. If 92% of respondents continue reusing passwords across multiple sites, then the programme is still relying on personal discipline where systemic enforcement should exist. The practitioner conclusion is that password policy, vaulting, and authentication standards need to converge into one enforceable identity baseline.

Credential handling remains the weakest bridge between human IAM and broader NHI governance. The same organisational habits that allow password reuse and informal sharing also show up in API keys, service credentials, and other secrets when ownership is unclear. The practitioner conclusion is that identity governance should be designed as a single lifecycle discipline across human, machine, and privileged access.

From our research:

  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
  • A separate finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.
  • For broader lifecycle context, NHI Lifecycle Management Guide helps teams connect credential ownership, rotation, and offboarding to day-to-day governance.

What this signals

Credential governance is becoming the connective tissue between human IAM and NHI control design. The same organisations that still tolerate password reuse and informal sharing will struggle to prove ownership and lifecycle discipline for API keys, tokens, and service accounts. With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security, the programme issue is no longer isolated authentication hygiene. It is a cross-identity control model that still cannot see all of its secrets.

Password manager adoption should be read as an early indicator, not a finish line. Once a control is widely adopted, the next question is whether the organisation can suppress informal transfer paths and enforce ownership consistently across the identity lifecycle. That is where the gap emerges between policy intent and operational reality.

Identity teams should expect the governance conversation to move from password tools to lifecycle evidence. The more mature question is not whether a team uses a vault, but whether it can prove who owns a secret, who can share it, and how that access is removed when roles change.


For practitioners

  • Standardise one approved password manager and enforce it Make the enterprise password manager the default for all staff, disable approved shadow alternatives, and tie exception handling to security review so adoption does not fragment by team or geography.
  • Remove credential sharing through email and chat Replace informal sharing with controlled secret delivery, require named ownership for every credential, and audit for document-based or conversational transfers that bypass the system of record.
  • Eliminate password reuse with policy-backed controls Use breached-password detection, vault-generated unique secrets, and authentication policy enforcement to prevent reuse across business applications and external services.
  • Treat 2FA rollout as an operating-model change Pair mandatory 2FA with user support, exception governance, and coverage reporting so the control is consistently enforced across privileged and high-risk accounts.

Key takeaways

  • Password managers are now mainstream, but insecure sharing and password reuse still undermine the control.
  • The survey shows adoption has outpaced governance, with many teams still relying on files, paper, chat, and email to handle credentials.
  • IAM teams should measure success by the elimination of side channels, explicit ownership, and enforced unique secrets, not just by tool rollout.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.AC-1Password reuse and sharing are access control weaknesses covered by identity governance.
NIST SP 800-63Supports stronger authentication and password policy decisions for human identities.
NIST Zero Trust (SP 800-207)PR.AC-4Least privilege and continuous verification depend on controlled credential handling.

Apply least-privilege access and remove informal sharing paths from identity workflows.


Key terms

  • Password Manager Standardisation: The practice of requiring one approved password manager across an organisation so secret storage and generation become consistent. It reduces ad hoc handling, but only becomes effective when sharing, recovery, and exception workflows are also governed and audited.
  • Credential Reuse: Credential reuse is the practice of using the same password across multiple sites or services. It increases the blast radius of a single compromise because one stolen secret can unlock many systems, making identity assurance depend on more than user memory and policy text.
  • Shared Credential Handling: Shared credential handling is any process where a password or secret is transferred between people outside the approved system of record. Email, chat, documents, and verbal handoff all weaken accountability and make lifecycle tracking and offboarding harder to prove.
  • Two-Factor Authentication: Two-factor authentication adds a second verification step beyond a password to reduce the chance of account takeover. In practice, its security value depends on broad coverage, consistent enforcement, and user experience that does not create routine bypasses.

What's in the full report

Bitwarden's full report covers the operational detail this post intentionally leaves for the source:

  • Survey breakdowns by how organisations handle password manager rollout and company-wide standardisation.
  • Detailed figures on password sharing habits across email, chat, and in-person channels.
  • Respondent views on cost and time barriers that slow password-manager adoption.
  • 2FA usage and employee resistance themes that explain where authentication policy breaks down.

👉 Bitwarden's full survey provides the underlying respondent breakdowns and credential-handling detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-01-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org