TL;DR: 451 Research found that 86% of enterprises expected to increase security budgets, while 93% were maintaining or increasing password management budgets and 76% had deployed or planned deployment because of work-from-home concerns. The data shows password controls are still being treated as a necessary response to hybrid work, but policy confidence, audit gaps, and risky user groups remain out of step with actual exposure.
NHIMG editorial — based on content published by Bitwarden: 451 Research enterprise password management survey summary
By the numbers:
- 86% of enterprises expected to increase their annual security budgets.
- 93% of enterprise respondents said they were maintaining or increasing their password management budgets.
Questions worth separating out
Q: How should organisations govern password risk across hybrid workforces?
A: Start with the accounts that create the highest exposure, especially third parties and remote personnel, then enforce reuse checks, stronger authentication, and tighter reset controls.
Q: Why do password policies fail even when teams believe they are sufficient?
A: They fail when policy exists without evidence of enforcement.
Q: How can security teams tell whether password management is actually improving?
A: Look for fewer avoidable resets, stronger SSO coverage, and better compliance among the riskiest user groups.
Practitioner guidance
- Audit password reuse and strength enforcement Review whether password policies are actually enforced across high-risk applications and third-party accounts.
- Map SSO coverage against the full application estate Identify what percentage of business applications still depend on direct passwords outside SSO coverage, then prioritise the highest-risk apps first.
- Reduce password reset dependency in helpdesk operations Treat reset volume as a signal of identity friction and simplify the flows that drive avoidable recovery requests.
What's in the full report
Bitwarden's full article covers the operational detail this post intentionally leaves for the source:
- Survey methodology and the respondent mix across the United States, United Kingdom, Japan, and Australia
- Breakdowns of why security decision makers prioritised password managers, including anti-fraud and credential-theft prevention
- Detailed results on SSO coverage, MFA familiarity, and helpdesk burden from password resets
- Deployment preference patterns for personal and business password management use cases
👉 Read Bitwarden's summary of 451 Research findings on enterprise password management →
Enterprise password management in hybrid work: are controls keeping up?
Explore further
Password management is still a human identity governance problem disguised as a tool category. The article shows that organisations are funding password controls, yet audit gaps and user behaviour remain unresolved. The issue is not whether people have passwords. It is whether the enterprise can consistently govern reuse, reset behaviour, and risky access patterns across a fragmented application estate. Practitioners should treat password management as part of IAM lifecycle control, not as a standalone utility purchase.
A few things that frame the scale:
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control.
A question worth separating out:
Q: Who should get the strictest password controls first?
A: Third parties and remote personnel should usually be first in line because they combine higher access risk with weaker organisational visibility. Then extend the same discipline to any account that touches finance, supply chain, or other sensitive business systems. Risk-based prioritisation beats blanket rollout.
👉 Read our full editorial: Password management is still lagging enterprise risk in hybrid work