Notifications
Clear all
Topic starter
12/06/2026 9:27 pm
TL;DR: Dropbox and Microsoft have discontinued built-in password manager features, forcing users to export credentials and rethink account protection just as AI-driven phishing is making credential reuse more dangerous, according to 1Password. The real issue is not convenience but control continuity: identity defences weaken when password security depends on a side feature and someone else’s product roadmap.
NHIMG editorial — based on content published by 1Password: password manager shutdowns and the identity risk of roadmap drift
Questions worth separating out
Q: What breaks when users lose access to a built-in password manager?
A: The control breaks first, then the habits follow.
Q: Why do password manager shutdowns matter for identity governance?
A: They matter because password storage becomes a lifecycle issue, not a feature preference.
Q: How do security teams reduce the impact of phishing after a password manager exit?
A: They reduce impact by restoring unique credentials, prioritising passkeys where available, and tightening account recovery paths before users migrate.
Practitioner guidance
- Map where users depend on built-in password managers Identify employee and consumer populations using browser-based or platform-bundled password storage, then classify which accounts, payment records, and shared secrets would be disrupted by a shutdown.
- Move high-value users to a standalone credential control Prioritise a dedicated password manager or passkey-first workflow for administrators, finance teams, executives, and any user holding multiple business-critical accounts.
- Test export, import, and recreation paths before retirement dates Validate how passwords, addresses, and payment information are exported, where manual recreation is required, and which records are deleted after shutdown.
What's in the full article
1Password's full article covers the operational detail this post intentionally leaves for the source:
- Step-by-step export guidance for Microsoft Authenticator and Dropbox Passwords users who need to preserve saved data before shutdown.
- Practical migration steps for moving passwords, addresses, and payment details into a replacement password manager.
- Specific notes on the deadlines, deletion behaviour, and account-access differences between the two shutdown paths.
- A product-focused comparison of 1Password features such as shared vaults, passkeys, and recovery workflows.
👉 Read 1Password's analysis of password manager shutdowns and identity risk →
Password manager shutdowns: what should identity teams do now?
Explore further
12/06/2026 11:31 pm
Password manager shutdowns expose a roadmap dependency that identity programmes should never accept. A password manager is a control, not a feature, and controls should not disappear because a vendor refocuses on its core business. When credential protection sits inside a side feature, the organisation has outsourced a core identity function to a product lifecycle it does not govern. The implication is that identity teams need to classify password storage as a programme-owned control surface, not a convenience layer.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2024 ESG Report: Managing Non-Human Identities.
- Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, showing that identity exposure tends to recur rather than resolve after the first event.
A question worth separating out:
Q: Who is accountable when credential protection disappears with a product shutdown?
A: Accountability sits with the organisation that owns identity risk, even if the shutdown is triggered by a vendor decision. Teams responsible for IAM, security architecture, and digital risk should already have a migration plan, a recovery plan, and a control ownership model that does not depend on one product line surviving.
👉 Read our full editorial: Password manager shutdowns expose the identity risk of roadmap drift
