From Convenience to Compromise: Ending Insecure Password Sharing at Work

By Darren Guccione, CEO and Co-founder, Keeper Security

A Familiar Habit with Serious Implications

Everything in daily living has become digitally connected—from our smart televisions and streaming services, to our robot vacuum cleaners and air purifiers. As families increasingly adopt smart technology, login credentials such as usernames and passwords become hard to keep track of, resulting in credential sharing within members of the household.

Sure, there is nothing malicious in normalising this habit in daily life, bringing convenience for home entertainment, applications and family devices – but what if it is brought into professional environments? This consumer habit has quietly made its way out of households and into organisations, where it carries broad-reaching risk.

With World Password Day (May 1) fast approaching, it is a great opportunity to turn attention away from just improving password strength, but to encourage strengthening password behaviour instead.

The Misconception of Convenience

Credential sharing may seem faster for busy teams in the workplace, but the convenience of insecure sharing can prove costly. Teams often share credentials through insecure means, with 62% of businesses utilising messaging applications such as WhatsApp and Slack, or through emails with no expiration. Though convenient, these methods lack visibility, traceability, and control – making businesses increasingly vulnerable to breaches and insider threats.

These casual password-sharing habits developed in our personal lives – like sharing a Netflix login or family food delivery account – have become increasingly common in teams that rely on shared tools, such as marketing dashboards, file storage platforms or group email aliases. This behaviour poses a significant security risk, highlighted by 31% of IT leaders indicating that password attacks are becoming increasingly prevalent year-on-year. This risky practice persists largely because businesses often lack formal credential-sharing protocols, dedicated IT oversight and smart cybersecurity solutions to facilitate secure sharing.

Driven by the need to collaborate efficiently or overcome access bottlenecks, employees default to what seems easiest, resulting in the passing around of credentials via email, chat or spreadsheets. Many are simply unaware that secure, structured alternatives exist. According to research, 68% of breaches involve the human element; with the majority due to stolen or weak passwords, credentials and secrets. Even when intentions are good – whether to save time or streamline access, the result is often a tangled web of shared credentials that are difficult to track and nearly impossible to secure.

Without proper oversight, another threat lies with former employees who may retain access to these systems long after they have left the company, particularly when it comes to third-party SaaS tools where credential updates are often overlooked. The absence of frictionless tools that balance collaboration with strong access controls only reinforces this cycle, leaving businesses exposed to unnecessary risk from both internal and external threats.

Real Risks for the Enterprise

The consequences of informal password sharing go far beyond inconvenience – they open the door to serious security breaches. Weak or shared credentials are among the most common entry points for attackers, with credential theft remaining one of the leading causes of data breaches globally. Within the Asia-Pacific region, the cost of an average data breach amounts to US$1.4 million. Without individual logins and the proper technology solutions, there is no audit trail or clear accountability, making it nearly impossible to trace who accessed what, and when.

The stakes are even higher for regulated industries like healthcare, finance and legal, where poor credential hygiene does not just pose security risks but can also lead to serious compliance violations and legal consequences. Organisations should consider the following in dealing with insecure password sharing habits within the workplace:

1. Use an Enterprise Password Manager
   Enterprise password managers provide a secure and efficient way for teams to share passwords and sensitive data. Some solutions allow administrators to grant access to login credentials without exposing the actual passwords, where credentials are saved directly to each user’s password vault, automatically populating it when needed.

   Admins can also set specific access permissions, such as view-only or edit rights, for added control. For companies working with freelancers or contractors, certain password managers offer temporary, limited access without requiring the external user to create an account, maintaining both convenience and security.

   Even if an employee clicks a malicious link, a password manager can differentiate between a fake website and a real one, mitigating the risk that employees reveal their login credentials to cybercriminals.

2. Promote Strong Password Hygiene
   Good password habits are essential for workplace security. With a password manager, admins can enforce rules like using unique passwords for every account, enabling Multi-Factor Authentication (MFA) and generating strong, random passwords. These measures reduce the risk of data breaches and credential-stuffing attacks.

   Failing to reset shared passwords when employees leave poses a major security risk, as 32% of ex-employees have accessed old employer accounts. After recovering all physical assets, organisations must also revoke the employee’s online access. Shutting down accounts includes revoking access to shared folders, files and accounts, resetting shared passwords, and reassigning suspended licenses to another employee.

   A strong off-boarding process ensures only current team members retain access to accounts, protecting sensitive company data from unauthorised use.

3. Privileged Access Management
   Privileged Access Management (PAM) is a cybersecurity strategy that involves managing and securing accounts that have elevated access rights to an organisation’s most sensitive systems and data. These privileged accounts can belong to users including system administrators, IT staff, upper management and security personnel.

   PAM solutions assist IT administrators and security teams by efficiently organising, managing and securing privileged credentials to ensure that only authorised users have access to critical resources, reducing the risk of unauthorised access, data breaches and insider threats. PAM complements zero-trust security by enforcing the principle of least privilege, enabling real-time monitoring and auditing, supporting continuous authentication and preventing lateral movement and privilege escalation.

Let’s Rethink How We Share

Leaders should take this moment as a timely reminder to reassess how access is managed across their organisation. Start by reviewing who has access to which systems, and through what means. Eliminate risky, ad-hoc sharing via insecure channels like messaging apps or spreadsheets.

Most importantly, invest in secure, scalable tools like a business password manager and privileged access management solutions – because protecting access is not just an IT task, it is a business imperative.