Why the Final 20% Still Matters
In a recent Sponsor Spotlight episode of Identity at the Center (#404; February 2026), I joined Jeff Steadman and Jim McDonald to discuss a topic many organizations are wrestling with: if we are moving toward passwordless authentication, why does enterprise password management still matter?
The short answer is simple. Most enterprises get about 80% of the way on their modernization journey before they hit some roadblocks. The remaining 20% still rely on passwords, and often require more complex projects or initiatives to decommission. That last mile creates real risk. Managing it properly is the difference between being secure and being the next target.
Takeaway: Passwords are not gone until they are gone everywhere. Until then, organizations need a pragmatic, secure way to manage the reality of legacy systems and hybrid environments.
Quick Summary:
-
Most organizations reach roughly 80% passwordless coverage. The final 20% still depends on passwords.
-
Passwords remain a primary breach vector, especially through social engineering and credential abuse.
-
Storing passwords is not enough. Humans create bad passwords, we choose passwords that are memorable, or pattern based.
-
Enterprise password managers differ fundamentally from personal password managers in governance and visibility.
-
Password manager are a solution to a problem today, and part of the future where these digital wallets will manage passkeys for portability and control.
.png?width=1200&length=1200&name=Newsletter%20Header%20(8).png)
The Uncomfortable Truth About Passwords
During the episode, Jim asked a direct question: why does password management still matter if the industry has been declaring passwords “dead” for years?
I responded candidly:
“The uncomfortable truth about passwords… we’ve been trying to get rid of them for the better part of a decade… but I think we often ignore all of the things that are going to use passwords for the next decade or maybe even longer.”
The industry conversation frequently focuses on what replaces passwords: passkeys, FIDO, WebAuthn, and modern authentication standards. Those advancements are real and important.
But the operational reality inside most enterprises is different.
Organizations can modernize most applications. Many reach what I call the “80% mark.” Modern systems support single sign-on, MFA, and passwordless flows.
The remaining 20% is where risk concentrates.
“A lot of organizations… might get 80% of the way there… Then what about the 20%?”
That final 20% often includes:
- Legacy systems
- Mainframes
- Applications without standards-based SSO (such as in-house apps)
- Line-of-business platforms that are costly to replace
- Shadow IT tools used by business units
You are not passwordless if those systems still rely on human-created credentials.
Why Storing Passwords Is Not Enough
Many identity teams assume that storing passwords inside an identity provider or browser vault solves the problem.
It does not.
As I explained on the podcast:
“I would say no, because you're not taking the human element out of creation.”
Humans create patterns.
Humans reuse passwords.
Humans increment numbers.
When credential dumps occur, attackers look for those patterns. If a user’s password pattern is predictable, targeted credential stuffing becomes easier.
The key shift is not storage. It is control.
Enterprise password management should treat workforce credentials the way privileged access management treats admin credentials:
- Automated rotation
- Centralized enforcement
- Removal of user-driven creation patterns
- Event-based reset capabilities
“When you can reset it and also actively manage it, that’s kind of the nirvana.”
The Difference Between Personal and Enterprise Password Managers
Jim asked an important distinction question during the discussion: what separates a personal password manager from an enterprise password manager?
My answer focused on governance.
“The difference… is really the paradigm of who has control over what’s in the vault.”
A personal vault gives control to the individual.
An enterprise password manager must give control and visibility to the organization:
- Credential governance
- Auditability
- Lifecycle control after an employee leaves
- Central policy enforcement
- Breach response capability
Without that enterprise layer, you create another blind spot.
Enterprise Password Manager vs. Personal Vault
|
Capability |
Personal Password Vault |
Enterprise Password Manager |
|
Credential Ownership |
Individual user |
Organization-controlled |
|
Visibility |
Limited to the user |
Centralized audit and reporting |
|
Credential Rotation |
Manual or user-driven |
Automated and policy-driven |
|
Access After Employee Exit |
Uncertain |
Governed and recoverable |
|
Breach Response |
Reactive and manual |
Programmatic mass reset |
|
Identity Verification Integration |
Rare |
Integrated into reset and distribution flows |
|
Governance |
None or minimal |
Enforced by security policy |
|
Shadow IT Insight |
None |
Visibility into workforce application usage |
Help Desk Social Engineering and the Human Factor
We also discussed help desk social engineering, referencing well-known incidents such as MGM and Caesars.
“If you give admin rights… to your help desk to be able to go reset passwords… they’re following a process with the best of intention… but if there’s nothing in the middle enforcing validation… then help desks are going to continually fall to those attempts.”
The human element remains one of the largest risks in identity security.
Password managers do not eliminate social engineering entirely. But they can:
- Reduce password reset volume
- Minimize emergency reset scenarios
- Enforce identity verification before credential distribution
- Reduce reliance on manual help desk workflows
As Jim noted in discussing breach scenarios:
“We need to think… almost like putting together a disaster recovery plan.”
Identity resilience must be designed before the incident.
Breach Recovery and the “Fog of War”
When a credential is compromised, teams often experience what I described as: “The fog of war”
In the first few hours after a breach:
- Visibility is limited.
- Teams are unsure which accounts to disable.
- Resetting credentials is technically possible.
- Distributing them securely is the hard part.
You can script resets. You cannot easily validate identity and distribute new credentials at scale without validated processes.
This is where automated, centralized credential rotation and secure distribution mechanisms become essential.
The Last Mile to Passwordless
Jeff observed that password managers may become more important, not less, as passkeys mature.
He was right.
“I didn’t see a future for password managers… but… you need to be able to have a cross-platform vendor-neutral wallet.”
Even as FIDO and passkeys expand, portability remains a challenge.
I noted:
“Password managers solve another problem with passkeys, which is portability.”
The likely evolution is from password manager to passkey manager.
Deployment: How to Roll Out an Enterprise Password Manager
From an IAM operations standpoint, rollout must be practical.
Recommendations discussed during the episode:
- Start with identity and security teams.
- Expand to high-usage departments such as marketing.
- Educate early adopters.
- Consider gamification.
- Accept that change management is critical.
“As with any project in the identity space, change management is a critical part of it.”
Perfection is not the starting point. Improvement is.
Measuring Success
Enterprise password management success should be measurable.
Key indicators include:
- 100% application coverage (passwordless or managed)
- Reduction in help desk password resets
- Fewer lockouts
- Reduced shadow IT visibility gaps
- Increased credential rotation compliance
As I explained:
“You should have 100% of your applications either covered by a passwordless sign-on mechanism, or they should be managed by a tool… where the users aren’t having to set the passwords.”
Coverage is the real benchmark.
Final Perspective
In closing the episode, I shared this perspective:
“We often look for the perfect silver bullet solution… I’d really encourage folks… to think, okay, what problem are we actually trying to solve?”
Passwordless is the direction.
But identity security requires pragmatism.
Until the final 20% disappears, organizations need a secure, governed, enterprise-grade way to manage passwords. Not because passwords are ideal. But because they are still real.
What To Do Next:
Want a deeper framework for assessing identity controls in complex environments? Explore our practical IAM and password management resources, or request a Bravura Security Health Check, the first step to unlocking measurable improvement across your identity and access programs.
- Bravura Pass Product Page (SSPR)
- Review customer case studies to see real-world outcomes.