TL;DR: Even security-savvy users can resist moving from handwritten passwords to a password manager because emotional attachment, not just technical understanding, governs adoption, according to Bitwarden. The lesson for identity teams is that IAM change programmes fail when they treat human behaviour as a documentation problem instead of a workflow and habit problem.
NHIMG editorial — based on content published by Bitwarden: a family password-manager adoption story and its lessons for change resistance
By the numbers:
- 69% of organisations now have more machine identities than human ones.
- Only 5.7% of organisations have full visibility into their service accounts.
- 61% rely on spreadsheets or manual tracking for machine identity management.
Questions worth separating out
Q: How should security teams get users to adopt a password manager?
A: Start with one familiar, high-frequency account and show a concrete benefit such as autofill or easier login.
Q: Why do people resist password changes even when they know the risks?
A: Because identity behaviour is shaped by routine, comfort, and perceived effort, not just by risk awareness.
Q: What breaks when credential migration is treated as a one-time event?
A: The rollout usually stalls because users do not get enough time, trust, or immediate reward to change habits.
Practitioner guidance
- Stage credential migration in small, visible wins Move one high-frequency account first, prove the benefit with autofill or simpler login, and expand only after the user has experienced a clear payoff.
- Design for emotional friction, not just policy compliance Pair the security rationale with a workflow that feels easier than the old habit, because familiarity is often the real blocker to adoption.
- Measure actual vault usage, not just rollout completion Track whether credentials are being stored, retrieved, and used in the new system, since installation without behavioural conversion does not change risk.
What's in the full article
Bitwarden's full blog post covers the personal adoption details this post intentionally leaves for the source:
- The original migration story and the specific moments where resistance appeared during setup
- The practical explanation of how the user became comfortable with the vault interface
- The full list of supporting resources and community materials Bitwarden references
- The concluding change-management reflections tied to family and everyday password habits
👉 Read Bitwarden's blog post on password manager adoption and change resistance →
Password change resistance: what it means for IAM teams?
Explore further
Password manager adoption is an identity governance problem, not just a user education problem. The post shows that people can understand the security rationale and still resist the new workflow because routine and comfort shape behaviour. In human IAM terms, policy correctness does not guarantee operational adoption. The practitioner conclusion is that governance has to account for how access habits actually change.
A few things that frame the scale:
- 69% of organisations now have more machine identities than human ones, according to the Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which shows how quickly unmanaged identity populations outrun governance.
A question worth separating out:
Q: Who is accountable when secure password handling fails in an organisation?
A: Accountability sits with the identity, security, and user-experience owners together. IAM teams own the control design, security teams own the risk model, and programme owners own whether the workflow is actually usable. If adoption fails, the control was not effective in practice, even if it was technically available.
👉 Read our full editorial: Password change resistance shows why IAM adoption is hard