Only 5% of employees use company-purchased password managers, despite rising credential-based attacks

The password manager has long been accepted as a solution to the issue of weak passwords. It’s not without reason that organizations seek a technological solution to what appears to be a straightforward problem: employees create weak, reused passwords that leave systems vulnerable to attack. Password managers promise an elegant solution: generate unique, complex passwords for every account and store them securely behind a single master password. The logic is compelling, the technology is proven, and the business case seems clear.

Yet this seemingly perfect solution faces a critical implementation challenge that undermines its effectiveness. Recent research reveals that while organizations routinely invest in password management tools, believing they’ve addressed their credential vulnerabilities, the reality on the ground tells a very different story. The gap between purchasing security technology and achieving actual security improvements has become a costly blind spot, leaving companies exposed to the very threats they think they’ve solved.

The adoption gap

Our recent research into Dutch local governments showed that despite organizations purchasing password management solutions, only 5% of employees actually use them. This finding highlights a critical gap between security procurement and security practice that appears to be widespread across different sectors and organization types.

The financial implications are significant. A typical organization of 200 employees spends approximately €12,000 annually on password manager licenses at €5 per user per month. With only 5% adoption rates, that investment effectively costs €1,200 per active user annually, transforming what should be a cost-effective security solution into an expensive failure.

Credentials remain the primary attack vector

This adoption crisis becomes even more concerning when viewed against current threat patterns. Verizon’s 2025 Data Breach Investigations Report demonstrates that credential-based attacks continue to dominate the threat landscape, with stolen credentials serving as an initial access vector in 22% of all analyzed breaches.

The report documents several troubling trends that underscore the ongoing vulnerability of credential-based security:

• Use of stolen credentials as an attack vector increased by 34% from the previous year
• Ransomware presence in breaches rose to 44%, up from 32%
• Third-party breaches doubled from 15% to 30%, often originating from compromised credentials
• Analysis of credential-theft malware revealed that 30% of compromised systems were enterprise-licensed devices

The implementation problem

Password managers represent, in theory, an ideal solution to credential security challenges in combination with MFA and SSO. They can generate unique, complex passwords for every account and store them securely behind a single master password. However, the reality of implementation reveals gaps that even security-conscious organizations often overlook.

The most significant issue occurs with existing accounts. While employees might use password managers to generate strong passwords for new accounts, they frequently leave their most critical existing accounts – email, banking, work systems – protected by the same weak, reused passwords they’ve always used.

Even when employees do adopt password managers, data indicates that approximately 70% still store weak or reused passwords in the system, fundamentally undermining the security benefits these tools are designed to provide.

Beyond the technology purchase

The password manager adoption crisis highlights a broader challenge in organizational cybersecurity: the assumption that purchasing security technology automatically translates to improved security outcomes. This approach – sometimes referred to as “security theater” – creates the illusion of protection without addressing the behavioral and cultural changes necessary for effective implementation.

Simply deploying password managers without comprehensive change management often results in employees continuing their existing password practices while organizations believe they’ve solved their credential security problem. This disconnect leaves companies vulnerable to exactly the types of attacks they’ve invested in preventing.

A comprehensive approach

Addressing the credential security challenge requires moving beyond simple technology procurement to implementing comprehensive programs that include:

• Requiring employees to manage their passwords in the password manager, and to change existing passwords for unique and strong ones
• Ongoing training and technical support for employees
• Integration with broader authentication systems
• Regular monitoring and assessment of actual usage patterns

The data indicates that organizations can no longer treat password security as a voluntary practice or assume that purchasing tools automatically improves security outcomes. The gap between investment and protection has become too significant – and too costly – to ignore.

As credential-based attacks continue to evolve and proliferate, the choice facing organizations is clear: invest in comprehensive implementation and enforcement of password security practices, or continue paying for security solutions that provide little actual protection.

MindYourPass will present its approach to this challenge at CyberSec Netherlands, demonstrating what it calls “Password Manager 2.0” – a solution that goes beyond the traditional technology-only approach. Rather than simply deploying another password management tool and hoping for adoption, their methodology focuses on measuring actual password behavior within organizations, tracking real adoption rates, and implementing technical enforcement mechanisms that ensure secure practices become the default rather than an option. This approach directly addresses the fundamental gap between security investment and security outcomes that has rendered traditional password managers ineffective despite their theoretical promise.

As cyber attacks continue to threaten today’s tech landscape, this event is the premier platform for seasoned cyber security professionals and innovative start-ups to exchange knowledge and tackle cybersecurity challenges together. Organizations across all sectors will discover strategies to boost cyber resilience and safeguard critical assets. Don’t miss this chance to strengthen your cyber defenses.

Simultaneously with Cybersec Netherlands, the Data Expo takes place in Hall 12—the perfect spot for additional knowledge, insights, and inspiration in the field of data.