Password Managers: Why Every Business Needs One and How to Pick the Right One

Before we get into it, two uncomfortable numbers.

81% of hacking-related breaches start with stolen or reused passwords (Verizon Data Breach Report).

Over 15 billion unique credential pairs have been exposed in public data breaches, and that's just the ones we know about. Anything your staff have used on a third-party site that got breached is probably in that pile, which means any attacker with a copy of it will try those passwords against your Microsoft 365 tenant.

The fix isn't "train people to make better passwords", we've tried that for 20 years and it doesn't work. The fix is a password manager.

Why password reuse happens

A typical employee signs into around 80 different services for work and personal life combined. Nobody can remember 80 unique, complex passwords. So they reuse three or four, maybe with a number on the end, across everything. Which means when any one of those 80 services gets breached, the attacker gets a password that probably works on several others.

That's not a moral failing. It's what happens when the human memory is asked to do something it can't.

A password manager solves the problem by remembering the passwords for them. One master password, everything else is random, everything else is unique, nothing gets reused.

What a password manager actually does

Three core things:

1. Stores credentials in an encrypted vault, usernames, passwords, sometimes secure notes and payment cards
2. Generates strong random passwords when you sign up for a new service, or when you change an old one
3. Autofills those credentials when you need to sign in, via a browser extension or mobile keyboard integration

The vault is encrypted with a key derived from the master password. The provider can't see what's in it ("zero knowledge", this is a hard requirement, not a marketing bonus).

Beyond that, the business-grade tools add:

• Secure sharing between staff, "share the office Wi-Fi password with the finance team" without anyone seeing the plaintext
• Role-based access, marketing gets the social media passwords, finance doesn't
• Audit logs, who accessed what, when
• Dark web monitoring, alerts when staff credentials appear in a public breach
• Policy enforcement, minimum complexity, forced MFA on the vault, rotation rules
• SSO integration, sign in once to your identity provider, vault unlocks
• Emergency access, if an admin gets hit by a bus, another trusted person can recover the vault

Personal vs business tools

Staff using a personal password manager for work is better than no password manager, but it's not a business solution. The problem is what happens on separation:

• Personal tool → when they leave, the passwords go with them. You have to rotate every shared credential.
• Business tool → when they leave, the admin revokes their access, and the vault revokes with them.

Business password managers also give the admin a view the personal ones don't: who's sharing credentials with whom, whether MFA is on for every user, whose vault has weak or reused passwords.

Short version: pay for a business product. Don't try to make LastPass Free or the browser's built-in manager scale, neither was designed for the job.

Features to look for

When evaluating a business password manager, the boxes to tick:

Security fundamentals

• Zero-knowledge architecture, the provider can't decrypt your vault even under legal order. Non-negotiable.
• Published security model, reputable vendors document the cryptography. Ask to see their whitepaper.
• Track record, LastPass's 2022 breach taught the industry a lot; the good vendors have responded, the bad ones pretended nothing happened.
• MFA for the vault itself, mandatory, ideally with hardware keys (YubiKey) supported

Admin capability

• SCIM / directory sync, users auto-provision from Entra ID or Google Workspace
• SSO, sign in with your existing identity, vault opens
• Granular role controls, not every admin should see every vault
• Audit export, logs can be pulled out for compliance
• Secure sharing with permission tiers, view-only, can-edit, can-share-on

User experience

• Cross-platform, Windows, Mac, iOS, Android, and at least Chrome / Edge / Firefox / Safari extensions
• Offline access, works without an internet connection
• Smooth autofill, bad autofill is why users fall back to saving in the browser
• Password change assistance, flags weak, reused, or breached passwords and walks users through changing them

Compliance

• SOC 2 Type II certification
• ISO 27001
• GDPR-compliant data processing, ideally with EU or UK data residency
• HIPAA if you're anywhere near healthcare data

Common objections, and the answers

"What if the password manager itself gets breached?"

If the vendor is zero-knowledge, an attacker would get a pile of encrypted vaults with no keys. They'd then have to brute-force each master password individually, which, if your master passwords are long and unique, is infeasible. LastPass's 2022 breach is instructive: the vaults were stolen, but the password managers that had strong master passwords on reputable algorithms were fine. The ones that didn't weren't.

The practical lesson: pick a vendor with a sound security model, enforce strong master passwords, require MFA on the vault, and the blast radius of a provider breach is much smaller than the blast radius of not using a password manager.

"My staff are old-school, they won't use it."

Fair. Rollout matters. Start with the exec team (they have the most valuable credentials), demonstrate the autofill experience, and make the onboarding a 20-minute walkthrough rather than a PDF. Most resistance melts once someone realises they no longer have to think about passwords at all.

"We're too small to need this."

Small businesses are the most common target for credential-stuffing attacks because they rarely have MFA everywhere and rarely spot the breach for weeks. Pricing for business password managers is £3–£6 per user per month, less than a client lunch per year per staff member. There's no budget argument for not having one.

"Can we just use the browser?"

Chrome / Edge / Safari built-in password saving has improved, but it doesn't give you any of the business admin features, no sharing, no role controls, no audit, no dark web monitoring, no offboarding. It's fine for personal use. It's not a business control.

Rollout notes

A typical rollout for a 20-person firm:

1. Week 0, select the tool, licence everyone, connect to Entra ID for SCIM provisioning
2. Week 1, admin team onboarded, master passwords set, MFA enforced, emergency access configured
3. Week 2, all staff onboarded in small batches with a 20-minute group session
4. Weeks 2–4, staff migrate their current passwords in (the tool will typically import from Chrome/Safari/1Password exports)
5. Month 2, dark-web monitoring flags any still-weak or breached passwords; staff change them with autofill making it a 10-second job
6. Ongoing, shared credentials are moved from email/Slack/spreadsheets into the shared vault; role-based access is tuned

By month three you have a business that can prove every user has unique, complex passwords; MFA is on every vault; and no shared credential sits in an email inbox anywhere.

The two products we deploy

We're an authorised partner for both Keeper and LastPass. Broadly:

• Keeper, stronger on compliance and admin granularity, best when compliance / audit matters
• LastPass, simpler admin, easier for staff already familiar with the brand

There's full detail on both in our Password Managers page, including a deep dive into Keeper specifically. For most clients, either works, we recommend based on your compliance requirements and your team's comfort with new tooling.

The bottom line

Password managers aren't a nice-to-have. They're the only scalable way to prevent password reuse, and password reuse is the most common way attackers get into SME accounts.

Price it per user per month, roll it out properly, and it quietly becomes the most cost-effective security control you run. If you want help choosing and deploying one, let's talk.