Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

Weak passwords and reused credentials: what IAM teams need to know


(@lalit)
Member Admin
Joined: 1 year ago
Posts: 235
Topic starter  

TL;DR: Weak, reused, or stolen passwords account for 88% of breaches of basic web applications in Verizon’s 2025 DBIR, reinforcing that password policy, employee education, and password manager adoption remain core controls for reducing credential-led intrusions. The practical issue is not awareness alone but whether identity programmes can turn better password behaviour into measurable access-risk reduction.

NHIMG editorial — based on content published by Bitwarden: guidance on password policies, employee education, and password manager adoption

By the numbers:

Questions worth separating out

Q: How should security teams reduce password reuse across employee accounts?

A: Security teams should reduce password reuse by combining password managers, password policy enforcement, and regular exposure checks.

Q: Why do weak passwords still create so much breach risk?

A: Weak passwords still matter because attackers can crack, guess, or steal them and then try the same credential across multiple services.

Q: What do organisations get wrong about password managers?

A: Many organisations treat password managers as a convenience tool instead of an identity control.

Practitioner guidance

  • Measure password reuse and breached-password exposure Use password vault health reports or equivalent telemetry to identify reused, weak, or compromised credentials across employee accounts and high-value systems.
  • Make password manager enrolment part of onboarding Integrate password manager provisioning with active directory or SSO so new employees receive secure credential tooling on day one.
  • Tie employee education to enforced MFA coverage Use awareness training to reinforce strong unique passwords, then verify that two-factor authentication is actually enabled on accounts where the option exists.

What's in the full article

Bitwarden's full blog post covers the operational detail this post intentionally leaves for the source:

  • Step-by-step password-manager onboarding guidance for employees and administrators.
  • Examples of vault health report usage for identifying weak or reused passwords.
  • Practical advice on syncing a password manager with active directory or SSO.
  • Employee-facing password best-practice guidance that supports policy rollout.

👉 Read Bitwarden's guidance on password policies, employee education, and password manager adoption →

Weak passwords and reused credentials: what IAM teams need to know?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 9713
 

Password reuse is still an identity governance failure, not a user preference issue. The article is right to treat reused and weak passwords as a structural breach driver because they collapse account-level boundaries. Once a password is shared across multiple systems, one phishing event or breach feed can cascade into wider access exposure. The practitioner conclusion is that password policy belongs in identity governance, not only in end-user awareness.

A few things that frame the scale:

  • Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to The 2024 ESG Report: Managing Non-Human Identities.
  • Enterprises that have experienced a compromised NHI averaged 2.7 separate incidents in the past 12 months, according to the same report.

A question worth separating out:

Q: Who is accountable when a stolen password leads to a breach?

A: Accountability sits with the identity programme, not just the end user. If the organisation permits weak password policy, inconsistent MFA, and unmanaged onboarding, the breach reflects a governance failure. Security teams, IAM owners, and business leaders all have a role in setting and enforcing the controls that prevent credential abuse.

👉 Read our full editorial: Password policy and manager adoption still drive breach reduction



   
ReplyQuote
Share: