Elyse Betters Picaro / ZDNET
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Weak or compromised passwords pose a significant security risk to companies.
- Employees continue to reuse passwords or share them via email.
- A passwordless future is possible, but it will take time and effort.
Using a weak or compromised password for a personal account is bad enough. But using one on the job puts not just you but your entire company at risk. That’s why the practice is considered a major security threat, according to a new report from password manager 1Password.
For its 2025 annual report entitled “The Access-Trust Gap,” 1Password looked at the ways that passwords are still problematic despite an ongoing move toward passwordless authentication. The report’s findings are based on the results of an online survey of 5,200 workers in the US, Canada, the UK, Germany, France, and Singapore. Those surveyed included desk job workers as well as IT and security professionals.
Also: How passkeys work: The complete guide to your inevitable passwordless future
Asked what has most impacted their security team’s ability to deliver adequate protection for your company, 44% of the respondents pointed to employees using weak or compromised credentials. The survey showed that employee password practices are actually getting worse instead of better with an increase in this percentage from last year’s report.
Some two-thirds of the employees admitted to reusing passwords across work and personal accounts, relying on default credentials, or sharing passwords via email or messaging apps. Ironically, IT and security professionals actually are more risky in their use of passwords than are their non-IT peers.
As one example, 15% of the non-IT workers polled said they’ve used the same passwords for work and personal accounts, while 24% of IT pros professed to doing the same thing.
Poor password practices were evident among those polled. Only 30% of workers and 23% of IT professionals said they always use complex and unique passwords. And though password managers provide some protection against credential compromise, just 38% of the IT pros and 26% of the other workers revealed that their employer provides such a tool.
Also: Should you ditch your TP-Link router? Here’s how to secure your Wi-Fi today
Among the CISOs whose companies were hit by a data breach over the past three years, 50% cited compromised credentials as a root cause, second only to exploited security vulnerabilities. Other factors that led to breaches were employees using unmanaged or unapproved applications and devices as well as data being exfiltrated.
A passwordless future is certainly one desired by individuals and businesses alike. But the road to getting there has been bumpy. Password managers can be difficult to maintain and manage, even in an enterprise environment. And passkeys still face several hurdles before they become easy, convenient, and ubiquitous enough for more people to adopt.
Still, passkeys have been gaining traction in the corporate world. Some 41% of the employees surveyed said they’ve adopted passkeys where they’re available. A healthy 89% of the security and IT pros say their company is encouraging or planning to encourage employees to shift to passkeys. Some 25% of the respondents say they would gladly switch from passwords to passkeys when and if they become available.
Also: The best password managers for businesses: Expert tested
The challenge here is that jumping from passwords to passkeys isn’t as simple as turning on a switch. Rather, the transition promises to be a multi-year project for most companies, who must balance their technologies, workflows, and regulatory requirements. During such a move, passwords and passkeys must coexist, which means they both need to be secure and convenient.
“A truly passwordless environment has long been the dream of security leaders,” said one respondent. “However, fully eliminating passwords is a years-long undertaking, and authentication must be as secure as possible at every step along the way.”
Also: Why SMS two-factor authentication codes aren’t safe and what to use instead
Toward that end, 1Password has outlined a 5-step game plan that organizations can use to carry out the transition.
- Plan your roadmap and process. Here, you’ll want to determine how you aim to replace weak passwords with strong ones, add multi-factor authentication, and move toward passwordless authentication, including passkeys.
- Provide employees with clear guidelines and support for switching to strong passwords, MFA, and passwordless solutions.
- Give your compliance officers the job of verifying that your passwordless system will adhere to regulatory guidelines, such as ISO, SOC 2, and GDPR.
- With passwords still needed during the transition, make sure you use an enterprise password manager to control the use of passwords and ease the process for employees.
- Wherever possible, get rid of risky authentication methods such as SMS codes.
Get the biggest stories in tech every Friday with ZDNET’s Week in Review newsletter.
