A password manager for business: choose and deploy
Shared passwords in a spreadsheet are a ticking bomb. How a business password manager works, how to choose one and roll it out to teams.
In almost every audit we find the same artefact: a “passwords.xlsx” file on a network drive, an “access” notebook in OneNote, or a messenger channel where the team trades logins. It’s not the people’s fault — without a tool, nobody can remember dozens of strong, unique passwords. A business password manager solves the problem systemically: one secure place, strong passwords generated automatically and sharing under control. Here’s everything to know before deploying one.
The problem we’re solving
Without a manager, the same things always happen: passwords get reused (one password across ten systems — a single external leak opens them all via credential stuffing), stay weak (memorable means crackable) and are shared without control (a spreadsheet won’t tell you who knows the bank password, or whether a former employee still remembers it). A manager inverts all three: every password is unique and random, and sharing has an owner, a scope and a history.
Set expectations correctly: a password manager is a transitional stage and a complement, not a competitor to SSO and passkeys. A mature company’s strategy reads: whatever can go behind SSO with MFA — goes there; whatever supports passkeys — moves to passkeys; everything else (and there’s a lot of it) — into the manager.
How it works and why it can be trusted
The heart of every decent manager is a zero-knowledge architecture: the vault is encrypted locally with a key derived from the master password, and the provider stores only an encrypted blob — it knows neither the master password nor the contents. Even a breach of the provider’s servers (and those have happened) hands attackers only data whose decryption requires cracking each user’s master password individually.
Two practical consequences follow. First: the master password is everything — it must be long (a 4+ word passphrase), unique and protected with MFA. Second: recovery must be designed — the provider can’t reset a password it doesn’t know; business plans have mechanisms for this (administrative recovery, emergency access) that you must consciously configure.
Selection criteria for a company
The market is mature (1Password, Bitwarden, Keeper, Proton Pass and others; plus self-hosted Vaultwarden) — the differences are in the details:
- Zero-knowledge + public security audits — not claims but published test reports, ideally open source.
- Directory integration (Entra ID/Google): account provisioning and — crucially — automatic off-boarding.
- Team sharing: vaults/collections per team, permissions (read vs edit), change history.
- Policies: enforced MFA, minimum master password strength, vault export restrictions.
- Reporting: weak/reused passwords, breach monitoring (an alert when a vault password appears in a known leak).
- Ergonomics: extensions, mobile apps, autofill — because people will flee an awkward tool straight back to the spreadsheet.
Choose self-hosting only if you have the resources to maintain and patch it — a poorly maintained self-run password server is worse than a good SaaS.
Deployment: a 30-day plan
- Week 1 — foundations. Tenant configuration: SSO/SCIM, policies (mandatory MFA, master password strength), a vault structure mirroring teams, the emergency recovery mechanism tested on a dummy account.
- Week 2 — pilot. One team (ideally IT) + importing passwords from current locations. Collect issues with autofill and the sharing workflow.
- Week 3 — rollout. A short training (30 minutes suffices: master password, saving, sharing, reporting problems), the “why” communication and a hard deadline.
- Week 4 — clean-up. Migrate team passwords out of spreadsheets/notes, then delete the old sources (the most commonly skipped step — a “just in case” spreadsheet undoes everything) and rotate passwords that lived in them.
Afterwards: a quarterly review of the weak/reused password report and shared-vault access — 30 minutes that keeps things tidy.
Shared and service passwords: a chapter of their own
A manager also tames the hardest category — access that must be shared (the company social media account, a partner’s panel without named accounts) or technical. The rules:
- every shared password has an owner responsible for rotation and access review,
- you share via a team vault (revocable!), never via a messenger,
- rotate after anyone with access leaves — the manager will show you the list of what to rotate,
- machine secrets (API keys, pipeline passwords) ultimately don’t live in the human manager but in a secrets vault (Vault and the like) — a password manager is a tool for people.
Frequently asked questions (FAQ)
What if an employee forgets the master password? Business plans support administrative recovery (e.g. via an organisation’s encrypted recovery key) — the employee regains the vault without the provider’s involvement. Enable and test this mechanism before the rollout, and restrict it to two trusted admins with MFA, because it’s a powerful privilege.
Isn’t the browser enough? Chrome saves passwords too. For private use — better than nothing. In a company it lacks everything that matters: central policies, controlled sharing, off-boarding, reports. Browser-profile passwords also leak together with the profile (infostealer malware extracts them in seconds) — a manager with its own unlock raises the bar.
What if the manager vendor gets hacked? Industry incidents have happened and are the best test of the architecture: where zero-knowledge was implemented properly, attackers obtained encrypted vaults they couldn’t open. The practical lessons: a strong master passphrase (it’s what defends the vault offline), MFA on the account, and choosing a provider with a history of transparent incident communication.
Should we keep MFA codes (TOTP) in the manager too? Convenience tempts, but the vault then becomes a single point — password and second factor in one place. The compromise: TOTP in the manager for low-risk accounts, a separate app or hardware key for email, banking, cloud and admin accounts.
What does it cost and how do we sell it to the board? Typically tens of złoty per user per month. The board argument fits in one sentence: a single compromised shared password can cost more than a decade of licences — and an audit will almost certainly find a password spreadsheet somewhere in the company. Want us to check where your passwords live today and help with the migration? Get in touch.
Summary
A business password manager is one of the simplest security investments: it eliminates weak and reused passwords, civilises sharing and closes the off-boarding gap. Deployment is a month of work following the plan above — and the biggest trap isn’t the technology but the old spreadsheets left “just in case”. The end state: SSO + passkeys wherever possible, the manager for everything else.