In 2022, IT teams report handling 4-6 password-protected accounts daily, with many facing over 9 password-related incidents, which have become more challenging due to hybrid work. Common security measures include minimum password complexity and regular resets, yet end users find added security layers frustrating, impacting their engagement. There is a growing belief that alternatives to passwords will emerge as technological, security, and convenience barriers are addressed.

1. Passwords
in 2022

2. One Minute Insights:
Leaders are using 4 - 6
password protected
accounts daily, while IT
deals with more than 9
password-related
incidents daily
Hybrid work has made
password-related
incidents more
challenging
Most implement an
array of password
enhancing security
features but agree
that end users find
extra security layers
frustrating
One-time passwords
are the most
commonly
implemented identity
and access
management tool
beyond passwords
Zero Trust Network
Access is ranked as the
most secure IAM
solution
Employee security
hygiene training occurs
annually to every 6
months for most
Security, technological
limitations, and
convenience are the
top ranked reasons for
the lack of password
alternatives

3. Passwords are a part of everyday business operations, protecting valuable entry points
to sensitive data and files. And yet, the burden of password security is mostly on the
end users, who may be required to remember and enter numerous passwords daily.
How are IT teams dealing with passwords in 2022, and are password alternatives
being adopted?
One-Minute Insights on timely topics are available to Gartner Peer Insights members.
Sign up for access to over 100 more, and new insights each week.
Data collection: Apr 16 - Apr 25, 2022
Respondents: 204 IT, Software Engineers, and Information Security leaders
Passwords in 2022

4. 16%
42%
IT teams deal with more than 9 password-related incidents daily,
and hybrid/remote work has made the situation more challenging
How many
password-protected work
accounts do you use daily?
26% 1 - 3
Most (42%) leaders use
4 to 6
password-protected
work accounts daily.
5%
10 - 12
10%
>12
7 - 9
4 - 6
0% Not sure
n = 204

5. How many password-related issues does your IT team deal
with daily? (forgotten password, locked account, etc.)
Over a third (37%) of IT teams are dealing with more than 9 password-related issues each day.
37%
>9
12%
Not sure
23% 4 - 6
15% 1 - 3
13% 7 - 9
n = 204

6. Hybrid work has made
dealing with
password-related issues
more challenging for
of leaders.
69%
Has hybrid/remote work
made dealing with
password-related issues
more or less challenging for
your IT team?
12%
Significantly more challenging
57%
Somewhat more challenging
1%
Not applicable:
we have always been remote/hybrid
3%
Significantly less challenging
3%
Somewhat less challenging
24%
No change
0% Not applicable: we have
never been remote/hybrid
n = 204

7. “Password management is one of [the] biggest pains even with
the self-service capabilities. In most cases end users are simply
lazy and unwilling to take responsibility.”
- VP, manufacturing industry, 10,000+ employees
“Passwords are a dying breed that will eventually be replaced.
Too many to remember ...”
- C-suite, software industry, 1,000 - 5,000 employees

8. Do you have any of the following password security measures in place?
Many have a number of password security measures in place, the most common being minimum
password complexity requirements (82%) and regular password resets (75%).
75%
82%
72%
64%
Minimum complexity
requirements
Regular password
resets
Two-factor/multi-factor
authentication (2FA/MFA)
Single sign-on (SSO)
None of these 0%, Other 0%
Additional password security measure are common, though only
just over a third use a shared password manager
41%
Password manager
35%
Staff security training
n = 204

9. 4%
Not sure
Only
report that their organization uses a
shared password manager account.
35%
Does your organization use a shared
password manager account? 36%
No
25%
No, but I think
we should
35%
Yes
n = 204

10. “MFA is safe only if the
additional devices are also
made secure.”
- Director, manufacturing industry,
10,000+ employees
“We are evaluating different
vendors for password
management.”
- C-suite, manufacturing industry,
1,000 - 5,000 employees

11. One-time passwords are the most common form of access security
beyond passwords, though ZTNA is considered the safest
On top of passwords, most are using
one-time passwords (OTP) (60%).
What additional security
measures do you implement for
identity and access management
(IAM), other than passwords?
60%
One-time password
(OTP)
32%
Tokens
29%
Public key
infrastructure (PKI)
29%
Zero trust network
access (ZTNA)
36%
Time-based one-time
password (TOTP)
26% Biometric authentication
17% Magic links
14% Hardware security modules (HSMs)
10% None of these
0% Other n = 204

12. From the same list, respondents ranked Zero Trust Network Access (ZTNA) as the most secure
solution, followed by biometric authentication and time-based one-time password.
Rank these security options in
order from safest to least safe:
Zero Trust Network
Access (ZTNA)
Biometric
authentication
Time-based
one-time
password (TOTP)
1
2
3
4 Hardware security modules (HSMs)
5 Public key infrastructure (PKI)
6 One-time password (OTP)
7 Tokens
8 Magic links n = 204

13. “Legacy apps prevent us from utilizing passwordless auth.”
- C-suite, education industry, 10,000+ employees
“Whatever system you come up with, someone will find a way around
it and users may think it is secure and will then not be vigilant.”
- C-suite, professional services industry, 1,000 - 5,000 employees

14. Password security is a shared responsibility between the
business and end users, though most only hold security
hygiene training annually
Most (64%) believe that the organization and individual end users should share the responsibility for
password security equally. However, if they don’t believe it should be equally shared, more would place
the responsibility with the business (23%) than the end user (13%).
Where should the
responsibility for password
security fall?
64%
The individual end user
and the business equally
23%
The business
13%
The individual
end user
n = 204

15. One-third of respondents
(33%) hold employee security
hygiene training annually.
How often do you hold
security hygiene training
for employees?
26%
Quarterly
33%
Annually
Every 6 months
1%
Only if there’s been a breach
3%
Once for new hires
2%
Never
1%
Not sure
n = 204

16. “Even the change of passwords periodically comes under pressure
from senior executives who believe that they are safe with their
passwords continuing in perpetuity. A no-exceptions policy is the
best way to make sure that passwords are basic hygiene.”
- C-suite, healthcare industry, 1,000 - 5,000 employees
“The more complex the password policies, the more likely end users
will be frustrated or try to make things easier for them while making
systems less secure.”
- VP, healthcare industry, 10,000+ employees

17. 12%
Strongly
70%
Agree
6%
Disagree
12%
Neutral
To what extent do you agree with the
following: end users find extra layers of
security frustrating rather than reassuring?
agree that end users are frustrated by extra
layers of security rather than reassured.
82%
Extra layers of security are frustrating for end users rather than
reassuring, but security, technology and convenience are
hindering password alternatives
0% Strongly disagree
n = 204

18. The top 3 ranked factors hindering password alternatives are security, technological limitations
and convenience.
What are the top 3 factors hindering the
adoption of password alternatives?
4 Lack of investment
5 Time constraints
6 Lack of awareness
7 IT skepticism
8 Business skepticism
9 Cost
10 End-user skepticism
11 Lack of real-world benchmarks
Security
Technological
limitations
Convenience
1
2
3
n = 204

19. “It's becoming quite burdensome because
everything we do these days requires a
password, not all systems accept special
characters and minimum complexity
requirements. It's impossible to remember
everything so we resort to writing things down
or using the same password for everything.”
- Director, software industry, 10,000+ employees
“With the amount and speed of
compute growing as fast as it is,
we need to start thinking
differently and come up with
better ways than a password.
What took years to crack, takes
minutes or seconds now.”
- VP, retail industry, 10,000+ employees
“[Password security has] improved over the years,
but the hackers have improved faster. The state
sponsored activity is most troubling and more
companies need to take that more seriously.”
- Director, manufacturing industry, 10,000+ employees
“Passwords have to go and
IAM technology is going to
replace passwords.”
- Director, 1,000 - 5,000 employees,
manufacturing industry

20. Want more insights like this from IT leaders like you?
Click here to explore the revamped, retooled and
reimagined Gartner Peer Insights. You’ll get unprecedented
access to verified reviews, synthesized insights and
engaging discussions from a community of your peers.

21. Respondent Breakdown
Region
North America 63%
APAC 11%
EMEA 26%
Company Size
Title
C-Suite
<1,001
employees
10,001+
employees
Director
VP 33%
45%
23%
1,001-5,000
employees
5,001-10,000
employees
41%
26%
7%
25%
This content, which provides opinions and points of view expressed by users, does not represent the views of Gartner; Gartner neither endorses it nor makes
any warranties about its accuracy or completeness.
© 2022 Gartner, Inc. and/or its affiliates. All rights reserved.
Source: Gartner Peer Insights, Passwords in 2022 survey