Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password sprawl and secret sharing at UTP: what IAM teams need


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9773
Topic starter  

TL;DR: University of Toronto Press replaced fragmented password managers with a centralized sharing model because teams could not securely share credentials at scale, and its IT team estimates the change saves 10 hours a week, according to Bitwarden. The case underscores that password governance fails when sharing, permissions, and automation are left to local workarounds instead of a controlled identity process.

NHIMG editorial — based on content published by Bitwarden covering University of Toronto Press's password-sharing case study: centralized secret management across teams

Questions worth separating out

Q: How should teams govern password sharing across departments?

A: Use one centrally managed platform, not separate tools chosen by individual teams.

Q: Why do fragmented password managers create security risk?

A: Fragmentation breaks centralized policy.

Q: What do teams get wrong about secure secret sharing?

A: They often focus on encryption in transit and ignore lifecycle control.

Practitioner guidance

  • Consolidate password management into one governed control plane Replace locally chosen password managers with a single policy-enforced platform so sharing, audit logging, and revocation operate consistently across teams.
  • Map shared secrets to team-based collections Assign credentials to collections aligned to departments, functions, or operational groups, then review membership as part of privileged access governance.
  • Govern CLI-driven secret workflows as identity processes Treat scripting paths that generate or distribute credentials as part of the identity programme, with logging, approval boundaries, and clear ownership.

What's in the full article

Bitwarden's full post covers the operational detail this post intentionally leaves for the source:

  • The team-by-team collection setup UTP used to separate developer, retail support, and privileged administrator access.
  • The Bitwarden Send workflow for encrypted one-to-one secret delivery, including expiration and download limits.
  • The CLI-based automation path Rodness used for onboarding and password distribution in scripts.
  • The specific operational benefits UTP reported after consolidation, including the estimated weekly time savings.

👉 Read Bitwarden's case study on centralized password sharing at University of Toronto Press →

Password sprawl and secret sharing at UTP: what IAM teams need?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9257
 

Centralized password governance is the real control, not the vault itself. The article shows that the organisation’s problem was not a lack of password tools, but a lack of one enforced access and sharing model. When every team chooses its own manager, identity policy fragments into local practice and the enterprise loses control over who can share, revoke, and audit secrets. The practical conclusion is that password management only works as governance when the organisation owns the control plane.

A few things that frame the scale:

  • 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, according to Ultimate Guide to NHIs.
  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.

A question worth separating out:

Q: How do organisations know whether password governance is actually working?

A: Look for one authoritative system, clear ownership of each collection or secret group, and a repeatable process for review and revocation. If staff still rely on ad hoc sharing, local tools, or manual copying to get work done, the governance model is not working even if the vault is technically deployed.

👉 Read our full editorial: Password sprawl at UTP shows why centralized secret sharing matters



   
ReplyQuote
Share: