TL;DR: Poor password hygiene remains widespread, with 66% of employees reporting risky password behaviour and 89% of security and IT professionals saying their company is pushing passkeys, according to 1Password's Annual Report 2025 analysis. The governance challenge is not whether passwordless will arrive, but whether teams can reduce raw credential exposure while it is still partial and uneven.
NHIMG editorial — based on content published by 1Password: Passwordless access still leaves credential risk wide open
By the numbers:
- 66% of employees report having poor password hygiene.
- 89% of security and IT professionals say their company is encouraging employees to shift logins to passkeys.
- 44% of CISOs report that employees using weak or compromised passwords is one of their top security challenges.
Questions worth separating out
Q: How should security teams manage the transition to passwordless authentication?
A: They should treat passwordless as a phased governance programme, not a one-time switch.
Q: Why do weak passwords still matter if an organisation is moving to passkeys?
A: Weak passwords still matter because most organisations run mixed authentication estates for a long time.
Q: What do security teams get wrong about passwordless programmes?
A: They often mistake adoption messaging for control effectiveness.
Practitioner guidance
- Map the mixed authentication estate Inventory where passwords, MFA, passkeys, recovery methods, and shared credentials still coexist so the migration plan reflects reality rather than target state.
- Enforce 2FA gaps as governance defects Prioritise accounts without 2FA, especially privileged or shared accounts, and route them into remediation queues that are tracked to closure.
- Reduce credential handling in onboarding and offboarding Remove manual password handoffs from joiner and leaver workflows by routing access through controlled identity processes and approved credential stores.
What's in the full article
1Password's full blog covers the operational detail this post intentionally leaves for the source:
- The report-level breakdown of password risk exposure, including the dashboard signals admins can use to triage weak and reused passwords.
- The specific enterprise password manager capabilities for secure sharing, storage, and admin control during onboarding and offboarding.
- The Device Trust enforcement path that checks whether the password manager is installed and functioning correctly.
- The article's practical rollout framing for moving employees from weak passwords toward stronger authentication methods.
👉 Read 1Password's analysis of passwordless adoption and credential risk →
Passwordless adoption and the credential gap teams are missing?
Explore further
Passwordless adoption is a mixed-state governance problem, not a product milestone. The article shows that organisations can encourage passkeys while still carrying large volumes of weak password behaviour and unmanaged credential handling. That means the programme is not transitioning from one clean state to another. It is running two models at once, which is why controls must cover both human authentication behaviour and the residual credential estate.
A few things that frame the scale:
- 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Should organisations keep enterprise password managers after passkey adoption starts?
A: Yes, while passwords still exist in business workflows. Enterprise password managers remain useful for secure storage, sharing, and visibility into risky credentials during the transition. They are not the end state, but they are still part of the control stack until passwords are genuinely removed from critical paths.
👉 Read our full editorial: Passwordless access still leaves credential risk wide open