When we speak with CIOs and CISOs across Australia, we hear the same story. Organisations have invested heavily in security. MFA is in place. There’s an Essential Eight roadmap in place or some are aligning to SMB1001 to demonstrate baseline maturity.
Yet when incidents happen, or maturity stalls, the cause is rarely a missing tool. It’s usually something human. A reused password. A shared admin account. Credentials saved “temporarily” in a spreadsheet. Someone doing what felt practical under pressure.
That’s why we’re increasingly direct about this: you can’t realistically achieve meaningful Essential Eight or SMB1001 maturity without getting password management right first. Not because passwords are exciting, but because they underpin almost everything else.
In today’s Australian threat landscape, compromised credentials remain the easiest entry point. Ransomware groups don’t need to outsmart sophisticated controls if they can simply log in. Phishing, adversary-in-the-middle attacks, business email compromise, and credential stuffing all rely on one thing: poor password hygiene at scale.
Meanwhile, expectations on security leaders have shifted. Boards want evidence of real risk reduction. Insurers are scrutinising identity controls. Customers and regulators expect Essential Eight alignment to be operational, not just documented. Frameworks like SMB1001 are increasingly used as shorthand for a simple question - are the fundamentals actually working?
In that context, password management stops being a convenience tool and becomes a credibility issue.
The reality is most organisations don’t actively manage passwords - they tolerate them. Passwords get reused because no-one can remember dozens of complex credentials. Shared accounts exist because systems don’t support modern identity properly. Spreadsheets and notes exist because there was no approved alternative.
This isn’t apathy. It’s human nature. People optimise for speed and convenience, and security controls often work against that instinct.
The problem is that these behaviours quietly undermine everything else. MFA is less effective when attackers pivot to systems without it. Zero trust models struggle when access can’t be clearly attributed to individuals. Incident response slows because no one really knows where credentials live. From an Essential Eight perspective, this is why maturity plateaus - the controls exist, but they don’t operate cleanly in the real world.
While the Essential Eight doesn’t explicitly mandate a password manager, in practice password management enables multiple strategies to function properly. Application hardening is stronger when users aren’t reusing passwords. Restricting administrative privileges fails if admin credentials are shared. MFA works best when paired with strong, unique passwords users don’t have to remember.
The alignment with SMB1001 is equally natural. It’s focus on governance, consistency, and demonstrable control maps directly to disciplined credential management.
The real barrier isn’t technology - it’s behaviour. Password managers work when they remove friction rather than add it. They make strong, unique passwords the default, eliminate risky workarounds, and align security with how people actually work. In that sense, password management is a behavioural control supported by technology.
That’s why enterprise password managers such as LastPass are often part of the conversation. Not as a silver bullet, but as a practical way to close real gaps, centralise credentials, enforce policy, support MFA, and provide evidence that controls are genuinely operating as intended.
The takeaway is simple. If you’re serious about Essential Eight or SMB1001 maturity and realworld risk reduction, you have to fix passwords first.