Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Password sharing mistakes: what IAM teams should stop allowing


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Sharing passwords through email, SMS, spreadsheets, notes apps, memory, or browser vaults creates unnecessary exposure paths because copies persist, links spread, and reuse amplifies breach impact, according to Bitwarden. Secure password management matters because human convenience choices still create identity and data risk that IAM teams must govern.

NHIMG editorial — based on content published by Bitwarden: seven common mistakes to avoid when sharing passwords

By the numbers:

Questions worth separating out

Q: How should organisations stop employees from sharing passwords in unsafe ways?

A: Organisations should remove the need for unsafe sharing by giving employees a controlled vault for storage and sharing, then banning passwords in email, SMS, spreadsheets, and notes apps.

Q: Why do spreadsheets and notes apps create credential risk?

A: They create credential risk because they turn secrets into files that can be copied, synced, forwarded, or left behind on devices.

Q: What do teams get wrong about browser password managers?

A: Teams often assume browser password managers are enough because they are convenient, but convenience is not the same as governance.

Practitioner guidance

  • Ban credential sharing in general-purpose channels Prohibit passwords in email, SMS, chat, shared documents, and note apps.
  • Replace ad hoc storage with managed vault workflows Use a central password manager with identity-based sharing, access logging, and offboarding support so credentials do not live indefinitely in local files or synced notes.
  • Review browser vault usage for team access Allow browser storage only for low-risk personal convenience cases, and prohibit it for shared credentials, sensitive administrative accounts, and any access that requires revocation discipline.

What's in the full article

Bitwarden's full blog post covers the practical password-sharing scenarios this post intentionally leaves at the governance level:

  • User-facing examples of insecure sharing across email, SMS, spreadsheets, notes apps, memory, and browser storage
  • Cross-platform password-management features that support secure sharing for individuals, teams, and organisations
  • Built-in account-management and SSO considerations for centralised access control
  • Practical guidance for replacing convenience-based sharing with secure vault workflows

👉 Read Bitwarden's guidance on seven password-sharing mistakes and secure alternatives →

Password sharing mistakes: what IAM teams should stop allowing?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Password sharing becomes an identity governance problem the moment a credential leaves a controlled vault. The article’s examples are familiar, but the deeper issue is that passwords are being handled like content rather than access tokens. Once a secret sits in email, SMS, a spreadsheet, or a notes app, the organisation loses authoritative control over copies, retention, and revocation. The practitioner conclusion is that password distribution has to be governed as credential lifecycle, not informal collaboration.

A few things that frame the scale:

  • 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools, according to the Ultimate Guide to NHIs.
  • 71% of NHIs are not rotated within recommended time frames, increasing the risk of compromise over time, according to the Ultimate Guide to NHIs.

A question worth separating out:

Q: Who is accountable when passwords are shared through insecure channels?

A: Accountability sits with the organisation because password sharing is an access governance issue, not just a user habit. Security, IAM, and policy owners need to define approved sharing methods, remove unsafe defaults, and ensure the chosen tool supports identity-bound access, logging, and revocation.

👉 Read our full editorial: Password sharing mistakes expose avoidable identity risk



   
ReplyQuote
Share: