Voice of IT analysis: Digging deeper into password managers

Spiceworks relaunched its Voice of IT reader survey series this year by asking IT professionals for their thoughts on corporate password manager solutions. Based on the responses of tech pros at nearly 600 organizations, Keeper Business, Bitwarden Business, and 1Password took top marks for corporate password management solutions based on overall satisfaction, likelihood to recommend (often referred to as the “net promoter score”), and ten more granular solution selection criteria (including security features and encryption standards, user-friendly interface and ease of adoption, and cost and licensing structure).

In addition to asking about their favorite password managers, we also asked our respondents about the state of password management in general. Their feedback is useful for anyone interested in evaluating their own strategy for password management and user authentication/credentialing.

Too many passwords

Among the various questions we asked about, “too many passwords” ranked second on the list of drivers for adopting a password management solution, with a net importance score of +50%.

Note: Modeled after the well-known net promoter score, a net importance score of +100% means that all respondents thought it was important, while -100% means that no respondents thought it was important. Generally, a score of higher than +50% or lower than -50% is considered a very strong indicator of buyer sentiment.

According to numerous sources, the total number of corporate passwords per employee ranges from around 10 to more than 120, with typical values between 70 and 80. In my own case, the actual number is 34. No matter how you look at it, that’s far too many passwords for employees to keep reliably strong and unique, not to mention having to change them on a regular basis.

Add in the fact that compromised credentials are consistently involved in a very high percentage of confirmed data breaches, and it’s no surprise that “reduce cybersecurity-related risks” was ranked first on the list of drivers for adoption of a password management solution, with a net importance score of +90%.

Too many solutions?

Although there may be general agreement on the problem, our survey underscores that there’s no common approach to the solution.

• 

  After more than 25 years, multi-factor authentication (MFA) has finally become mainstream, with 90% of respondents adopting MFA via apps, and 54% adopting MFA via SMS/email
• More than 50% of all respondents have adopted both password managers and single sign-on (SSO) solutions
• Biometrics (22%) and hardware security keys (19%) are still emerging as solutions to the problem of password management

Budgets and management buy-in

Our earlier survey results article noted that cost/budget constraints and management buy-in are among the leading challenges to adopting password management solutions. This reality was strongly reinforced by the Spiceworks State of IT 2025 report, in which more than 600 organizations weighed in on the question “Do you believe your organization spends enough to support its technology needs?”

The differences in perspectives between technical staff and those in IT leadership / senior business leadership positions were stark:

• Among technical staff, the net adequacy index was -51.9% — a very strong indicator that IT pros perceive that their allocated resources are inadequate
• Among IT and senior business leaders, the net adequacy index was +18.7% — indicating their positive perception overall, even though well below the +50% threshold

We might not like to hear this, but this disconnect lies squarely with us. When speaking with organizational leaders, we must remember that they’re ultimately investing not in technologies, processes, and people, but in business outcomes. Most tech pros talk very comfortably about the inputs: the technology-oriented “what, and how.” But many of us in IT don’t tend to be as good at speaking in terms of the business-oriented outcomes: the “so what, and why it matters.”

Over many years in cybersecurity, I’ve found that business outcomes consistently fall into three high-level categories:

• Managing downside risks to an acceptable level (i.e., cost avoidance, not “ROI”)
• Improving operational efficiencies (i.e., cost savings, time and money)
• Realizing strategic business objectives (i.e., enabling upside opportunities: revenue, profit, growth, share, and so on)

In cybersecurity, the primary outcome is almost always managing downside risks. Too often, tech pros only talk about the frequency of occurrence: the vulnerabilities, how threat actors may exploit those vulnerabilities, and our recommended controls and countermeasures. Talking about the frequency and magnitude of business impact is the critical first step of the budgetary dance between the tech pros and their senior leaders.

From there, we can frame the budgetary conversation in terms of investing in recommended controls and countermeasures that are designed to:

• Buy down password-related risks to a more acceptable level
• Save time and increase productivity for users (and for IT staff)
• Enabling upside opportunities by freeing up our people to focus on the most strategic tasks

If you’ve found our Voice of IT password manager survey and the discussion around it valuable, please have a look at this month’s survey on wireless access pointsOpens a new window . You can expect to see those results towards the end of this month.