TL;DR: Password Day underscores that the real problem is not password strength but uncontrolled access, because shared admin accounts, service accounts, embedded credentials, and spreadsheet-based secrets still create opaque risk, according to Netwrix. The practical shift is from better passwords to governed control over who can use, rotate, and revoke them.
NHIMG editorial — based on content published by Netwrix: My favorite day of the year: Password Day
Questions worth separating out
Q: How should security teams control shared passwords across users and systems?
A: Treat every shared password as a governed identity asset, not a convenience.
Q: Why do passwords become a bigger risk as organisations grow?
A: As organisations scale, ownership gets blurred and more people begin depending on the same secrets.
Q: What do teams get wrong about secrets stored in spreadsheets?
A: They assume the spreadsheet is temporary when it has already become part of the access control model.
Practitioner guidance
- Inventory every non-human password path Identify shared admin accounts, service account passwords, embedded application credentials, and any temporary access spreadsheets that now function as permanent records.
- Consolidate secrets into one governed vault Move credentials out of chat threads, spreadsheets, and personal storage into a single controlled system with explicit access rules, audit trails, and change history.
- Tie rotation to operational ownership Require a documented recovery path before rotation so teams do not avoid changing credentials because a script, application, or integration might break.
What's in the full article
Netwrix's full blog post covers the operational detail this post intentionally leaves for the source:
- How Netwrix frames workforce password management for shared credentials and everyday user access.
- Operational examples of moving secrets out of spreadsheets, chat threads, and other informal stores.
- The vendor's description of controlled vaulting, approvals, MFA, and rotation in one workflow.
- The product-specific visibility model for auditing who accessed a credential and when.
👉 Read Netwrix's blog post on controlling passwords and shared secrets →
Passwords are everywhere: what IAM teams need to control now?
Explore further
Password control fails when ownership is informal: The central issue is not that passwords exist, but that many of them are created, shared, and maintained outside any durable governance boundary. That breaks accountability, makes rotation a business risk, and leaves offboarding dependent on memory instead of control. Practitioners should treat every shared password as an unmanaged identity object until proven otherwise.
A few things that frame the scale:
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing how slow remediation turns exposure into persistence.
A question worth separating out:
Q: How do access reviews help with password and secret governance?
A: Access reviews expose whether a password or secret still has a legitimate owner, active use, and a valid business purpose. They work best when linked to rotation and offboarding, because review alone cannot fix a credential that still exists in multiple places. The goal is to confirm that access is both necessary and revocable.
👉 Read our full editorial: Password Day exposes the real identity risk: uncontrolled access