Each year on World Password Day, most password managers will remind you that sticky notes are no place for storing passwords, to avoid using “password123,” or to stop repeating passwords across multiple accounts.
That is all sound advice, but we’re in 2025. Passwords are still everywhere, but our relationship with them has evolved — or rather, devolved. At this point, it’s common knowledge that passwords are a weak and risky form of authentication, and we should all be working toward a passwordless future. That might sound surprising coming from us, but despite our name, 1Password isn’t a password company. We’re an Extended Access Management company, and we’re seeing things a bit differently this World Password Day.
So let’s put the boilerplate password tips aside for now and focus on our ultimate goal: A passwordless future. To be clear, that doesn’t mean a future where we eliminate passwords entirely, but one where we provide the most straightforward and secure sign-in experience for every user, in every situation.
Passwordless does not mean password-free
Let’s quickly go over the reasons why passwords (especially weak, unprotected passwords) have fallen out of favor. As with any knowledge-based authentication factor, the flaw in passwords comes down to human nature. According to the Verizon 2025 Data Breach Investigations Report, 60% of breaches involve a human element, such as compromised user credentials or phishing.
The primary problem is that most people have poor password habits. 1Password found that 61% of employees reuse passwords or do not reset default credentials, and 19% use the same password across multiple work accounts. If a password is reused or easily guessed, then the chances of it being compromised are high, and even strong passwords can be phished.
The point here isn’t to blame people; phishing techniques have gotten incredibly sophisticated, and no one (at least, no one without a password manager) can be expected to come up with strong, unique passwords for every login. But poor password practices are what threat actors rely on, and what security leaders are under pressure to address.
For businesses, this is a compliance issue as well as a security threat; NIST, HIPAA, PCI DSS, and GDPR all emphasize the importance of multi-factor authentication, secure credential storage, and regular access reviews.
And passwords don’t just pose a security risk. They waste time, drain IT resources, and rack up real costs. According to Forrester, the average cost of a password reset is $70. For large enterprises, this can mean spending over $1 million a year on password-related support alone. With budgets tighter than ever, the opportunity to boost productivity and reduce friction is too significant to ignore.
Passwordless isn’t all-or-nothing
The vulnerabilities of passwords have led to the adoption of stronger authentication factors, like biometrics, passkeys, and hardware keys. Of course, it would be nice if we could wave a wand, slap passkeys on every login, for every app, and never have to remember passwords again. But in the real world, that’s just not feasible.
Several factors prevent or complicate the wall-to-wall adoption of passwordless authentication:
- Not all tools, especially legacy tools, are compatible with passwordless authentication
- Implementing alternatives, like SSO, can be expensive and labor-intensive
- Employees often resist changing their existing log-ins, making passwordless policies difficult to enforce
- It’s challenging for IT and security teams even to get visibility into where passwords are being used
In cases where it’s impossible or impractical to eliminate passwords, the goal is to minimize the end-user’s involvement in the authentication flow as much as possible. An enterprise password manager securely generates, stores, and autofills passwords, so workers don’t have to remember (and forget and reuse) credentials.
So, as ideal as it’d be to go completely passwordless, it behooves organizations to take a measured approach that looks something like this:
- Ensure all credentials are stored in a secure vault
- Identify and discover applications and users with weak authentication methods
- Assess credential risk
- Enforce safer login options, tailored to risk and usability
- Continuously update and improve authentication
It’s also vital to consider the employee experience in your passwordless strategy. A rushed approach to passwordless can cause disruption, unnecessarily stress your IT and security teams, and frustrate your end-users. In contrast, a phased approach enables smoother transitions, allowing teams to discover credential risks and guide users to stronger authentication over time.
Of course, to accomplish these goals, you’ll need the right tools.
How 1Password Extended Access Management can accelerate your passwordless strategy
Weak authentication is a key part of the Access-Trust Gap, which refers to the security risks posed by unfederated identities, unmanaged devices, applications, and AI-powered tools accessing company data without proper governance controls.
1Password Extended Access Management is designed to close the Access-Trust Gap and put organizations on the path to passwordless. Here’s how:
- Find risky credentials fast: Automatically discover weak, reused, or exposed credentials across managed and unmanaged apps, including those outside SSO
- Accelerate passwordless adoption: Guide employees to use passkeys, add MFA, or store strong, unique passwords securely, with no IT tickets required
- Block access from risky devices: Ensure that weak or unsecured credentials can’t be used on compromised or untrusted devices
- Meet Zero Trust and compliance requirements: Tie credential health to device posture and access policies to enforce least-privilege, risk-aware authentication
- Gain complete visibility into credential usage: See which credential vaults are in use, where they are stored, and who is accessing them, with built-in audit trails for compliance.
In addition, in summer 2025, we will release the beta of App Launcher, which combines credential security and device security to provide secure, one-click access to both managed and unmanaged business apps. This streamlines sign-ins, access requests, and remediation for end-users from a single, browser-based hub.
1Password Extended Access Management puts employees at the center of your passwordless journey, empowering them to adopt stronger sign-in methods while ensuring every login is secure. As your organization phases out less secure password-based authentication, 1Password provides real-time insights into where passwords are still in use, prompts users to replace them with more secure credentials, such as passkeys, and offers the safest way to use passwords when necessary.
For a closer look at how 1Password Extended Access Management helps businesses solve for passwordless authentication, check out the short video below:
Happy World Password(less) Day
It would be an understatement to say that the world has shifted significantly since Intel first introduced World Password Day in 2013. In the years since, both credential-related threats and our ability to guard against them have evolved. Yet we’re still facing some of the same password challenges we faced back then.
Clearly, the journey to passwordless authentication needs to speed up. Take this World Password(less) Day as a moment to reassess your credential strategy and start the journey toward a safer, more efficient authentication future.
To learn more about how 1Password Extended Access Management is helping customers meet their passwordless goals, check out our dedicated page.
Tweet about this post