Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password manager adoption at Duke University: what IAM teams missed


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: Duke University tripled enrollment after migrating to a new password manager, while security teams still found groups sharing vaults, mixing personal and work accounts, and bypassing consistent password hygiene, according to 1Password. The lesson is that password security improves only when usability and governance are aligned, not when tools exist in name only.

NHIMG editorial — based on content published by 1Password: Duke University's password manager migration and adoption story

Questions worth separating out

Q: How should organisations improve password manager adoption in large environments?

A: Focus on workflow fit, onboarding support, and platform consistency.

Q: What goes wrong when teams share a single password vault informally?

A: Informal shared vaults weaken accountability because ownership becomes unclear and access is hard to audit.

Q: Why does user experience matter in credential governance?

A: User experience matters because people work around controls that are slow or awkward.

Practitioner guidance

  • Measure adoption, not just deployment Track active use, vault participation, and migration completion by team so the programme reflects real credential handling rather than licence counts.
  • Eliminate informal shared-account patterns Require each team vault to have named ownership, defined membership, and a clear purpose so shared access does not blur accountability.
  • Test the workflow across every endpoint class Validate the password manager experience on Mac, Windows, and Linux before scale-up so platform friction does not drive shadow workarounds.

What's in the full article

1Password's full article covers the operational detail this post intentionally leaves for the source:

  • The internal migration and onboarding approach used to move staff and students onto the new password workflow
  • The user experience and cross-platform implementation details that supported adoption across Mac, Windows, and Linux
  • The internal training and knowledge-base practices Duke used to help groups change their day-to-day password habits
  • The practitioner-facing product demonstration and implementation context described in the source article

👉 Read 1Password's case study on Duke University’s password manager migration →

Password manager adoption at Duke University: what IAM teams missed?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

Password governance fails when the control is easier to bypass than to use. Duke’s experience shows that a password manager can exist without producing meaningful security if users continue to store secrets in personal accounts or share vaults informally. That is not a tooling problem alone. It is a governance design problem in which the programme assumes adoption will happen automatically. The implication is that identity teams must treat usability as a control dependency, not an afterthought.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which means credential governance failures often persist unnoticed across the identity estate.

A question worth separating out:

Q: How can identity teams tell whether password controls are actually working?

A: Look for reduced password reuse, higher managed-account adoption, fewer shared-vault exceptions, and clearer separation between personal and organisational credentials. If those signals do not move, the programme may exist on paper without changing behaviour.

👉 Read our full editorial: Password manager adoption at Duke shows the security-user experience gap



   
ReplyQuote
Share: