How does it look in practice?
A system password sent via Slack.
Server login details in an email.
An Excel sheet named “passwords” on a shared network drive.
A sticky note with a PIN attached to the monitor.
These are not scenarios from a pre-digitalization era, but the daily reality in many organizations – regardless of their size or industry. Each of them creates an uncontrolled entry point to corporate resources. A point whose existence even the IT administrator is often unaware of.
The threat does not lie solely in the strength of individual passwords. The real problem is the lack of control over who holds them, how they circulate within the organization, and what happens to them when an employee changes positions or leaves the company.
How passwords actually circulate in an organization
According to a report by Bravura Security, as many as 46% of IT and cybersecurity leaders admit that in their organization, passwords are stored in shared office documents (Excel sheets, Word files, or text files on shared drives). These are organizations that have a policy while simultaneously acting against it.
The same report indicates that only 7% of IT leaders are confident that in the event of an employee’s sudden departure, they will be able to successfully take over access, transfer passwords, and maintain business continuity. The remaining 93% operate with no guarantees.
The problem does not end with storage. According to data from Spacelift, 53% of IT professionals have shared corporate passwords via email in plain text. An email message with a password in its body is logged on mail servers, often in multiple places simultaneously, and remains there – for months or years, with no control over who has access to it.
Data from JumpCloud shows that around 25% of employees regularly exchange passwords with colleagues, often without the IT department’s knowledge and without any mechanism to control who currently knows the login credentials for a specific system.
Three scenarios where a lack of control costs the company
An employee leaves, the passwords stay with them
An employee handled the CRM system, had access to the hosting panel, and knew the password to the main customer service inbox. They left three months ago. Have the passwords been changed? If the organization does not have a central registry of what a given employee had access to – the answer is: probably not, and definitely not all of them.
A password sent via communicator becomes a permanent footprint
An employee urgently needs to log into a system and asks for the password via Slack or Teams. A colleague pastes it in response. The operation takes seconds, but the message remains in the chat history for months. It is indexed, synchronized in the cloud, and accessible from any device where the sender (and the recipient) is logged in. If access to the communicator is compromised, the attacker gains access not only to the messages but gets ready-to-use login data for subsequent systems.
A team’s “shared account” – nobody knows what is happening
An account for a marketing tool, a [email protected] inbox, access to an advertising platform – these are typical cases of accounts shared by a few or a dozen people. When a password needs to be changed (e.g., after an intern leaves), a problem arises. How do you securely inform the remaining people? Who actually knows the current password? Has everyone updated their copies? A lack of certainty regarding the state of these accounts means a lack of control over access to company resources.
As a report by Beyond Identity points out, 83% of former employees admit that after leaving a company, they logged into the accounts of their previous employer, and 56% did so with the intention of causing harm. The motive is often resentment, and the tool – a password that nobody changed.
A password policy on paper is not enough
Many organizations have implemented security policies that forbid sending passwords by email, require the use of strong and unique passwords, and define access rotation procedures. These documents are necessary, but on their own, they do not change habits.
Data from Spacelift pokazują, shows that 75% of employees globally do not apply recognized best practices for password management – even though they are aware of them. Why? An employee who knows they should not send a password via email, but has no convenient and secure channel at their disposal, will choose email anyway.
This is the very heart of the problem: organizations create rules, but they do not provide the tools that make following those rules simpler than bypassing them. As a result, the policy exists on paper, while reality looks completely different.
A password manager in the organizational environment
A password manager for organizations, such as perc.pass, is not another bureaucratic hurdle thrown under the employees’ feet. It is a transition to a structured repository that replaces Excel sheets, messages with passwords, and informal credential exchanges, while giving the IT administrator control tools they did not have before.
Central repository with an access audit trail
Every password stored inside the solution leaves a footprint:
Who created it?
Who has access to it?
When and by whom was it edited?
The IT administrator sees the full picture, and when the question arises “who has access to account X?” – the answer is immediate.
Zero passwords in emails and communicators
When passwords are stored and shared through a dedicated system, the need to send them via other channels disappears. An email with a password in its body, a message on Slack, a sticky note attached to the monitor – all these practices stem from the lack of a better solution. When a company provides an easy-to-use alternative, bad habits fade away.
Instant access revocation – offboarding
When an employee leaves, the administrator can deactivate their perc.pass account with a single click. All the passwords they had access to – and only those – cease to be available to them. There is no need to frantically reset dozens of passwords in various systems, because access was managed centrally from the very beginning.
Regardless of the chosen deployment model, the system allows you to map your company’s structure. You can create groups (e.g., Management, IT, Marketing), assign precise roles, and share entire sets of passwords only with the teams that actually need them.
A lack of control over passwords is not a technical problem – it is a procedural problem resulting from the lack of an appropriate toola. Secure behavior must become the most convenient choice for your employees.
If you want to check what central password management looks like in practice — test perc.pass during a free trial period.