TL;DR: Password resets account for 20% to 50% of IT support tickets, cost about $70 each, and can consume four hours a week for IT teams, according to Gartner, Forrester, and EMA. The real issue is that recovery workflows remain a high-friction identity control that degrades productivity while exposing organisations to password reuse and credential theft.
NHIMG editorial — based on content published by Efecte: Salasanojen palautusten näkymätön kuormitus
Questions worth separating out
Q: How should security teams reduce password reset volume without weakening access control?
A: Start by identifying which applications, user groups, and recovery methods generate the most resets.
Q: Why do password resets remain a security concern in mature IAM programmes?
A: Because recovery is often the easiest way around a well-designed login flow.
Q: What do organisations get wrong about password recovery and helpdesk support?
A: They often treat recovery as an operational nuisance instead of a control surface.
Practitioner guidance
- Measure reset volume as an identity risk indicator Track password reset tickets by application, user group, and recovery method so you can see where identity assurance is degrading.
- Replace knowledge-based recovery with stronger verification Remove recovery paths that rely on guessable questions, email-only confirmation, or inconsistent manual checks.
- Separate low-risk self-service from exception handling Allow routine self-service recovery for standard cases, but route privileged users, unusual device contexts, and repeated failures into a higher-assurance review path.
What's in the full article
Efecte's full article covers the operational detail this post intentionally leaves for the source:
- The article breaks down the ticket-volume and productivity impact behind password resets in more operational detail.
- It explains how helpdesk workflows, directory services, and authentication steps combine to create the service burden.
- It shows how password reset handling affects employee experience in hybrid work environments.
- It outlines Matrix42's IGA-oriented self-service approach for organisations evaluating automation options.
👉 Read Efecte's article on the hidden cost of password resets →
Password resets: what they mean for IAM teams and security?
Explore further
Password reset is a governance control, not a convenience feature. The article is right to frame resets as an operational burden, but the deeper issue is that every recovery flow defines who can re-enter the identity perimeter without starting from zero. In human IAM, that makes reset design part of assurance, auditability, and fraud resistance. Organisations that treat it as a service desk routine are underestimating its role in identity trust.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How do teams know whether password recovery is actually working well?
A: Look for fewer tickets, lower repeat-reset rates, shorter time to regain access, and fewer helpdesk escalations for standard users. If recovery is efficient but users still create weak passwords or support keeps re-verifying the same people, the process is not healthy.
👉 Read our full editorial: Password reset burden is a hidden IAM cost and risk driver