How state and local government benefits from password management

Cyber attackers have stolen between $100 billion and $135 billion from government agencies, forced critical websites offline, and exposed millions of citizens' personal information, according to the U.S. Government Accountability Office. These breaches share a common entry point: weak or reused passwords.

Government departments manage sensitive data across multiple systems — from gate access codes to citizen records to critical applications. As infrastructure becomes more interconnected, securing these access points becomes essential to preventing costly breaches.

Stolen credentials drive the majority of cyberattacks targeting government systems. According to the Identity Theft Resource Center, when examining cyberattacks against publicly traded companies that led to data breach notices in 2024, stolen credentials emerged as the most common attack vector.

86% of web application attacks traced back to stolen credentials.

Password-related breaches cost organizations an average of 328 days to identify and contain — significantly longer than the 277-day average for all breaches, according to IBM's Cost of a Data Breach Report. When hackers breached Colonial Pipeline in 2021 with a compromised password, critical operations halted and millions of Americans experienced fuel shortages. The SolarWinds breach showed how attackers used the insecure password "solarwinds123" to compromise systems federal agencies used.

Many organizations believe multifactor authentication (MFA) alone provides sufficient protection or that passwords aren't worth strengthening. Both assumptions leave vulnerabilities unaddressed.

The New York City Law Department breach underscores the importance of layered security. A hacker infiltrated the 1,000-lawyer agency's network using one worker's stolen email password, likely reused from another site and purchased on the dark web, according to the New York Times.

While MFA adds a critical security layer, this breach started with compromised credentials. Organizations need strong password management to prevent credential theft. 

Learn more about how cybersecurity is everybody's responsibility.

Passwords become compromised when people create weak ones or reuse them across sites. The challenge is that most humans can’t memorize dozens of passwords.

Password managers solve this problem. They generate strong and unique passwords for every site. With a password manager, employees maintain strong security without memorizing countless passwords. This transforms passwords from a weak point into a strong defense.

Following major cybersecurity incidents, the White House Executive Order on Cybersecurity outlined essential practices, including multifactor authentication, endpoint detection and response, encryption, and skilled security teams. These recommendations provide valuable guidance for building comprehensive security programs.

The most effective approach combines strong password management with MFA and other security measures. Together, they create a robust defense that addresses multiple attack vectors.

For a visual explanation, watch: Why use a password manager?

Understanding how password managers strengthen security is the first step; selecting the right solution is the next.

Without secure password management tools, employees resort to sticky notes, reused passwords, and predictable patterns. Organizations should prioritize these key features:

Agencies should look for providers that implement zero-knowledge encryption. This means they cannot access any vault contents. Even if servers are compromised, passwords remain encrypted and unreadable. This architecture ensures only users can decrypt their stored passwords, which is critical for protecting sensitive government data.

It’s important to find security tools that work for everyone, from IT professionals to non-technical employees who simply need to log in. Tools that are difficult to use lead to workarounds that undermine security.

Open source password managers often excel here. Technical users can review code and verify security claims, and all users benefit from straightforward interfaces and extensive documentation. High adoption rates ensure consistent security practices across the organization.

Whether securing a ten-person office or a department with thousands of employees, select solutions that scale while staying within budget and meeting compliance requirements. Flexible pricing models allow agencies to start small and expand as needed without switching platforms.

Some agencies — particularly those handling classified information or critical infrastructure — prefer full control over their password management. Organizations should evaluate their technical capabilities before committing to self-hosting. Properly implemented self-hosting provides maximum control. Inadequate implementation creates new vulnerabilities. Self-hosting options give agencies flexibility to meet specific security requirements or data sovereignty needs.

See how it works in practice: Learn how the City of Albany achieved secure password management

Password management tools provide the foundation for strong security, but they're only effective when employees know how to use them. Without adequate training, even the best tools can be undermined.

The ideal programs teach employees how to manage strong passwords, recognize phishing attempts, and respond to security threats. When employees understand why security practices matter, they become active participants in protecting information rather than potential weak points.

Organizations that invest in ongoing security training create cultures where awareness becomes second nature. When government employees develop strong security habits, they strengthen national security efforts by reducing successful cyberattack rates. This approach protects sensitive information and maintains operational integrity as threats evolve.

Strengthening password security doesn't require months of planning. Organizations can start a free trial today.

Bitwarden is a fully featured, open-source password manager trusted worldwide. The solution offers zero-knowledge encryption, supports users of all skill levels, scales affordably, and includes self-hosting options.

Start a free trial for Teams and Enterprise plans, or individuals can create a Basic Free Account.