Password habits are worsening, but security leaders see a path to passwordless

Poorly managed credentials are among the most stubborn problems for security and IT teams, and authentication is one of the areas where the Access-Trust Gap is widest. But even as credential-based attacks remain a major threat to security, there are positive signs that companies are moving toward a passwordless future.

This blog is part three in our series analyzing the 1Password Annual Report 2025: The Access-Trust Gap. 

• To read part one, which addresses AI governance, click here.

• To read part two, on SaaS management, click here.

• If you haven’t had a chance to read the full report yet, download it here. 

In this blog, we’ll address the third section of the report, on credentials. We’ll walk through some of the report’s most eye-opening findings and how IT and security teams can translate them into actionable priorities. 

We’ll also explore how 1Password helps close these gaps via 1Password Extended Access Management, a suite of solutions that includes our Enterprise Password Manager, Trelica by 1Password, and 1Password Device Trust. 

Credential risks remain high, but companies are embracing passwordless authentication

For years, weak and compromised passwords have been the most common path for bad actors to breach organizations. Yet leaders and employers alike are embracing and adopting more secure authentication methods, even as the complete elimination of passwords remains an elusive goal.

Credential and authentication statistics from the report

• 66% of employees report having poor password hygiene (e.g., using default passwords, reusing the same password for multiple accounts).

  • This marks a 5% increase in risky password behavior from last year’s report. 

• 44% of CISOs report that employees using weak or compromised passwords is one of their top security challenges

• 89% of security and IT professionals say their company is encouraging employees to shift logins to passkeys

In F1, data is everything, so we can't compromise on security, but we also can't afford tools that slow us down. Credential and secrets management was an area where we saw an opportunity to improve on both security and speed, by reducing the amount our team has to directly handle credentials.” - Mark Hazelton, CSO of Oracle Red Bull Racing

Imperative: Passwordless

As the report explains: 

'Passwordless’ authentication isn’t a binary, and passwords are unlikely to be fully deprecated anytime in the foreseeable future. With that in mind, the goal of passwordless should be to remove users as much as possible from the authentication flow, so their exposure to raw credentials is minimized.”

With that in mind, IT’s priorities include:

1. Define your roadmap and process to replace weak passwords with unique passwords, add MFA, and transition to passwordless authentication, including passkeys.

2. Equip employees with clear guidance and ongoing support with transitioning to strong passwords, MFA, and passwordless solutions.

3. In the cases where passwords remain necessary, require the use of an enterprise password manager to facilitate secure storage and sharing of credentials.

How 1Password helps close the Access-Trust Gap for authentication

All three Extended Access Management solutions help companies accelerate their path to passwordless authentication, but we’ll focus on the capabilities of the Enterprise Password Manager (EPM). 

Define your roadmap and process to replace weak passwords with unique passwords, add MFA, and transition to passwordless authentication, including passkeys

EPM provides admins with a dashboard that tracks the company’s password risk exposure, surfacing issues such as weak and reused passwords and accounts without 2FA. With this complete picture of authentication, admins can triage their most urgent risks.

Equip employees with clear guidance and ongoing support with transitioning to strong passwords, MFA, and passwordless solutions

Admins can use EPM to notify users when stronger authentication options are available and guide or require them to adopt them. 

In the cases where passwords remain necessary, require the use of an enterprise password manager to facilitate secure storage and sharing of credentials

Managing passwords is the foundation of 1Password’s business. 1Password EPM encourages users to create strong, unique passwords, supports secure sharing – whether for developer secrets or social media logins – and gives admins centralized control, essential for secure onboarding and offboarding.

Meanwhile, 1Password Device Trust helps enforce policies by verifying that EPM is installed and working correctly.

Explore 1Password EPM with an interactive demo

Close your Access-Trust Gap with 1Password

The report’s data makes clear that businesses need to reconcile security with their employees’ productivity and convenience. Make it simpler to use strong credentials than it is to recycle old passwords, and make it even easier to use passwordless methods wherever possible. Only then can companies practice their Zero Trust principles and close the Access-Trust Gap.

To learn more about how 1Password can help you secure your business without slowing you down, reach out to us today.