TL;DR: 84% of respondents reuse passwords across more than one site, 55% rely on memory to manage passwords, and 73% use 2FA at work, according to Bitwarden’s 2022 global survey, showing that familiarity with best practice still lags behind real behaviour. The governance problem is not awareness alone but removing human dependence on brittle password habits and making safer defaults easier to follow.
NHIMG editorial — based on content published by Bitwarden: World Password Day Survey 2022 results
By the numbers:
- (84%) reuse passwords across more than 1 site., asswords across more than 1 site.
- (55%) of global respondents rely on their memories, r memories to manage passwords.
- (23%) of global respondents have been affected by, been affected by a data breach.
Questions worth separating out
Q: How should organisations reduce password reuse without creating more login friction?
A: The best approach is to make unique password generation the easiest path.
Q: Why do passwords remain a risk even when most users know the rules?
A: Knowledge does not remove friction.
Q: What do security teams get wrong about 2FA adoption?
A: They often treat 2FA as a replacement for password hygiene rather than a layer on top of it.
Practitioner guidance
- Standardise password manager adoption Make password managers part of onboarding for employees and contractors, then measure adoption by population rather than relying on voluntary uptake.
- Reduce password reuse opportunities Block common and breached passwords, require unique generation where possible, and review whether password reset processes are encouraging repeated reuse patterns.
- Harden recovery and enrolment flows Treat password recovery, reset, and MFA enrolment as privileged identity events that need stronger verification and logging than routine sign-in.
What's in the full article
Bitwarden's full survey post covers the raw survey responses and methodology this post intentionally leaves for the source:
- Survey methodology for the 2,000-plus respondent global sample across multiple countries.
- Breakdowns of password and 2FA behaviour by use case, including work and personal accounts.
- Additional survey presentation and downloadable results for internal reporting and stakeholder sharing.
- Context on Bitwarden's free and business plan positioning for readers evaluating tooling options.
👉 Read Bitwarden's World Password Day survey results on password security habits →
Password reuse and 2FA adoption: what IAM teams should do now?
Explore further
Password reuse is still the most durable identity failure mode in everyday enterprise security. The survey shows that familiarity with password best practices does not translate into secure behaviour at scale. That disconnect is the governance problem, because identity programmes still inherit user habits rather than controlling them. The practitioner conclusion is that human identity risk remains operational, not theoretical.
A few things that frame the scale:
- 70% of organisations grant AI systems more access than they would give a human employee performing the exact same job, according to the 2026 Infrastructure Identity Survey.
- 52% of respondents see AI security decision-making power shifting toward platform and infrastructure teams rather than the executive suite.
A question worth separating out:
Q: Who should own password manager rollout in an identity programme?
A: IAM and security teams should own the policy and standards, while IT and workplace teams handle deployment and support. Password managers are not just user tools. They reduce credential reuse, improve recovery behaviour, and should be measured like any other identity control.
👉 Read our full editorial: Password reuse remains the weak link in everyday identity security