New Data Shows Over Half of Risky Password Use Is Invisible to IT

Security leaders know their employees aren't perfect with passwords. What's harder to know is exactly how imperfect their habits are and how much risky password behavior is happening completely outside their visibility.

And when that behavior goes unseen, it can't be stopped, leaving organizations exposed to breaches they never had a chance to prevent.

To understand the true scale of the problem, Dashlane recently analyzed anonymized, aggregated Dashlane Omnix^™ telemetry data from approximately 64,000 passwords used daily by professionals. What we found should be on every security leader's radar.

Out of all the passwords used weekly by employees, 28% are considered risky. About 16% are already compromised, meaning they've appeared in known data breaches and remain in active use. Another 12% are weak, meaning they’re short, predictable, or reused.

Clearly, human behavior continues to be a major security risk. Employees’ persistent, unsafe password habits are exposing their organizations to serious risks despite measures like password policies and annual security awareness training.

Awareness isn't reliably translating to action, and action isn't reliably translating to lasting behavior change.

Most of these risky passwords are being used outside the visibility of any security tool.

Our data tracks password usage across web extensions, including passwords that employees enter directly into websites without going through their password manager vault. When a risky password is used, there's a 53% chance the employee is not logged into their password manager at that moment.

That means no vault is being used over half the time. No autofill. No breach detection. No prompt to update. The risky credential is used over and over, increasing the organization’s chance of getting hacked, and nothing in the security stack registers that it’s happening.

This vault gap is a human behavior problem that no tool can solve purely through deployment. A password manager that isn't active at the moment of login can't protect the login. Security tools can only work when they're in use.

Overcoming years of embedded password habits is challenging. IT and security teams dedicate countless hours to educating employees about safe habits, yet bad ones persist. Employees need friction reduced, defaults changed, and repeated prompting before new habits solidify.

What this data tells us is that the curve hasn't bent yet and that passive deployment isn't enough to bend it.

That's why mass deployment paired with active credential monitoring matters. Getting the tool into employees' hands is step one. Keeping them logged in, surfacing risks at the moment of use, and closing the vault gap is where the actual protection lives.

This anonymized data from Omnix gives us something the industry has largely been working without: A ground-level view of how employees actually behave with passwords, at scale, in real time.

It bears repeating: Nearly a third of passwords being used at work are compromised or weak, and employees are using passwords without being logged into a password manager over half the time.

Buying a traditional password manager isn’t going to solve password security challenges if it’s incapable of detecting and intervening the moment risk appears.

This is the problem Omnix was built to solve. By monitoring all credential activity across every web extension, not just inside the vault, the proactive credential security platform gives security teams organization-wide visibility into risky password behavior.

This visibility is critical for combatting credential breaches and phishing attempts, which are increasing in both volume and sophistication with the help of AI.

The data in this post is derived from anonymized, aggregated telemetry collected across Dashlane's active web extensions. No passwords, usernames, or personal information were accessed or analyzed in producing these insights. By design, they never could be.

Dashlane's zero-knowledge architecture means that vault data is encrypted locally on your device and decrypted only by you. Dashlane never has access to what you store.

For Omnix specifically, activity log data is processed through Dashlane's confidential computing infrastructure in cloud secure enclaves that encrypt log data with team-specific keys inaccessible to Dashlane itself. The insights surfaced by Omnix are the product of that architecture: Behavioral signals without any exposure of the underlying sensitive data.

Read more about user privacy in our Privacy Policy and about our zero-knowledge architecture in the Dashlane’s Security Principles & Architecture section on our Help Center.