Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Weak or compromised passwords pose a significant security risk to companies.
- Employees continue to reuse passwords or share them via email.
- A password-less future is possible, but it will take time and effort.
Using a weak or compromised password for a personal account is bad enough. But using it on the job puts not only you but your entire company at risk. That’s why this practice is considered a major security threat, according to a new report from password manager 1Password.
For its 2025 annual report titled “access-trust gap“1Password looked at the ways that passwords are still problematic despite the ongoing move toward passwordless authentication. The report’s findings are based on the results of an online survey of 5,200 workers in the US, Canada, the UK, Germany, France and Singapore. The survey included desk job workers as well as IT and security professionals.
Also: How Passkey Works: The Complete Guide to Your Inevitable Passwordless Future
When asked what has the most impact on their security team’s ability to provide adequate protection for your company, 44% of respondents pointed to employees using weak or compromised credentials. The survey revealed that employee password practices are actually getting worse rather than better, with this percentage increasing compared to last year’s report.
Nearly two-thirds of employees admitted they reuse passwords across work and personal accounts, rely on default credentials, or share passwords via email or messaging apps. The irony is that IT and security professionals are actually more risk-averse in their use of passwords than their non-IT peers.
As an example, 15% of non-IT employees surveyed said they used the same password for work and personal accounts, while 24% of IT professionals claimed to do the same.
Poor password practices were evident among those polled. Only 30% of employees and 23% of IT professionals said they always use complex and unique passwords. And although password managers provide some protection against credential compromise, only 38% of IT professionals and 26% of other employees disclosed that their employer provides such a tool.
Also: Should you give up your TP-Link router? Here’s how to secure your Wi-Fi today
Of CISOs whose companies suffered a data breach in the last three years, 50% cited compromised credentials as the root cause, second only to exploited security vulnerabilities. Other factors that led to the breaches were employees using unmanaged or unapproved applications and devices, as well as exfiltration of data.
A password-less future is certainly desired by individuals and businesses alike. But the road to reach there has been bumpy. Password managers can be difficult to maintain and manage, even in enterprise environments. And Passkey still faces many hurdles before it becomes easy, convenient, and ubiquitous to be adopted by more people.
Nevertheless, passkeys are becoming increasingly popular in the corporate world. About 41% of employees surveyed said they have adopted passkeys wherever they are available. 89% of security and IT professionals say their company is encouraging or planning to encourage employees to switch to passkeys. About 25% of respondents say they would happily switch from passwords to passkeys whenever they become available.
Also: Best Password Managers for Businesses: Expert Tested
The challenge here is that going from password to passkey isn’t as simple as flipping a switch. Rather, this transformation promises to be a multi-year project for most companies, who will have to balance their technologies, workflows, and regulatory requirements. During such a step, the password and passkey must be present together, which means both of them must be secure and convenient.
“A truly passwordless environment has long been a dream of security leaders,” one respondent said. “However, eliminating passwords completely is a years-long task, and authentication must be as secure as possible at every step.”
Also: Why SMS two-factor authentication codes aren’t secure and what to use instead
To that end, 1Password has outlined a 5-step game plan that organizations can use to accomplish the transformation.
- Plan your roadmap and process. Here, you’ll want to determine how you aim to move toward passwordless authentication, including replacing weak passwords with strong passwords, adding multi-factor authentication, and passkeys.
- Provide clear guidelines and support for employees to switch to stronger passwords, MFA, and passwordless solutions.
- Task your compliance officers with verifying that your passwordless system will comply with regulatory guidelines like ISO, SOC 2, and GDPR.
- Since passwords are still required during the transition, make sure you use an enterprise password manager to control password usage and make the process easier for employees.
- Wherever possible, get rid of risky authentication methods like SMS codes.
Get the biggest stories in tech every Friday with ZDNET Week in Review Newsletter,
