TL;DR: Password managers are now used by 86% of organisations, yet 53% still rely on computer documents and 29% on pen and paper, while 92% of respondents continue reusing passwords across multiple sites, according to Bitwarden’s 2022 Password Decisions Survey of 400+ IT decision makers. Convenience has improved, but credential hygiene remains structurally weak.
NHIMG editorial — based on content published by Bitwarden: the 2022 Password Decisions Survey
By the numbers:
- 86% reporting they are being put to use.
- 92% of respondents still reuse passwords across multiple sites.
- 53% and 29% to manage passwords.
Questions worth separating out
Q: How should organisations reduce password reuse without creating user workarounds?
A: Organisations should combine a mandatory password manager, breached-password checks, and policy enforcement that blocks reuse at creation and reset time.
Q: Why do shared passwords remain a governance problem even when teams have a password manager?
A: Shared passwords remain a governance problem because a password manager stores secrets, but it does not by itself assign ownership, approval, or offboarding accountability.
Q: What do security teams get wrong about two-factor authentication adoption?
A: Teams often treat 2FA as a one-time rollout instead of an operational control that needs coverage, exception handling, and support.
Practitioner guidance
- Standardise one approved password manager and enforce it Make the enterprise password manager the default for all staff, disable approved shadow alternatives, and tie exception handling to security review so adoption does not fragment by team or geography.
- Remove credential sharing through email and chat Replace informal sharing with controlled secret delivery, require named ownership for every credential, and audit for document-based or conversational transfers that bypass the system of record.
- Eliminate password reuse with policy-backed controls Use breached-password detection, vault-generated unique secrets, and authentication policy enforcement to prevent reuse across business applications and external services.
What's in the full report
Bitwarden's full report covers the operational detail this post intentionally leaves for the source:
- Survey breakdowns by how organisations handle password manager rollout and company-wide standardisation.
- Detailed figures on password sharing habits across email, chat, and in-person channels.
- Respondent views on cost and time barriers that slow password-manager adoption.
- 2FA usage and employee resistance themes that explain where authentication policy breaks down.
👉 Read Bitwarden's survey on password managers, 2FA, and password practices →
Password practices still fail: what IAM teams need to fix?
Explore further
Password manager adoption is a governance milestone, not a risk endpoint. The survey shows organisations have normalised password managers, but normalisation does not equal control maturity. When people still move credentials through documents, paper, chat, and email, the programme has standardised storage without standardising behaviour. The practitioner conclusion is that password governance must be measured by the elimination of side channels, not by licence adoption alone.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to the State of Non-Human Identity Security.
- A separate finding from the same research shows that lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations.
A question worth separating out:
Q: How can IAM teams tell whether password governance is actually working?
A: Password governance is working when password reuse drops, credential sharing through informal channels disappears, and users stop creating ad hoc storage outside approved tools. Strong indicators include consistent manager adoption, fewer exceptions, and clear ownership for every credential in scope. If side channels still exist, the programme is not yet under control.
👉 Read our full editorial: Password managers are mainstream, but password practices still fail