TL;DR: Weak, reused, and shared passwords still account for more than 80% of breaches, and the article argues that partial password manager deployment leaves credentials unmanaged across browsers, spreadsheets, shadow IT, and offboarding gaps, according to Bitwarden. Full coverage matters because credentials remain the control plane for everything else.
NHIMG editorial — based on content published by Bitwarden: full password manager deployment and the hidden risks of partial coverage
By the numbers:
- Weak, reused, and shared passwords account for more than 80% of breaches.
- Between 34% and 66% of business applications aren’t covered by SSO.
Questions worth separating out
Q: How should security teams handle password management when SSO is already in place?
A: They should treat SSO and password management as complementary controls.
Q: Why do unmanaged passwords still create risk in mature IAM programmes?
A: Because password risk is not eliminated by other controls if users still store or reuse credentials outside managed workflows.
Q: What breaks when password manager deployment is only partial?
A: Visibility breaks first, then revocation and compliance follow.
Practitioner guidance
- Measure unmanaged credential coverage across the workforce Inventory where employees still store or share passwords outside the sanctioned password manager, including browsers, spreadsheets, chat, and local notes.
- Extend password manager rollout to every application path Identify business applications that do not support SSO and require password manager enrollment for those direct-logon systems.
- Tie offboarding to credential revocation workflows Connect leaver events to vault de-provisioning, shared secret rotation, and access removal so former staff do not retain live credentials after employment ends.
What's in the full article
Bitwarden's full article covers the operational detail this post intentionally leaves for the source:
- Deployment guidance for rolling password manager coverage across all employees, not just high-risk teams
- Examples of how to reduce unmanaged logins stored in browsers and informal collaboration tools
- Offboarding workflow detail for removing access and rotating shared credentials after leaver events
- Practical coverage guidance for applications that do not support SSO
👉 Read Bitwarden's analysis of full password manager deployment and credential coverage →
Password manager coverage gaps: what IAM teams are missing?
Explore further
Partial password manager deployment creates credential governance debt: The article’s central point is that a password programme only works when it covers the whole workforce, not a subset of enthusiastic users. Partial adoption leaves unmanaged credentials in browsers, notes, and shadow workflows, which means the organisation carries hidden access state it cannot reliably audit or revoke. The practitioner implication is that credential management must be treated as a universal control surface, not an optional productivity tool.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to the Ultimate Guide to NHIs.
- 79% of organisations have experienced secrets leaks, and 77% of those incidents resulted in tangible damage, according to our Ultimate Guide to NHIs.
A question worth separating out:
Q: What should teams do before deciding that SSO coverage is enough?
A: They should map the applications that sit outside SSO and quantify how many credentials still depend on local logons. If a meaningful share of the estate bypasses federation, password management remains necessary for governance, offboarding, and secure sharing.
👉 Read our full editorial: Password manager full deployment closes the credential blind spot