Help Guide for Password Managers for Small Teams

The Password Problem

Let's be honest about how most small businesses handle passwords:

- A shared spreadsheet that's been emailed around for years

- Post-it notes on monitors (we've all seen them)

- The same password for everything ("Spring2024!" anyone?)

- A notebook in someone's desk drawer

- Passwords shared via WhatsApp or email

If this sounds familiar, you're a data breach waiting to happen. When (not if) a password gets compromised, hackers will try it everywhere. If you reuse passwords, one breach becomes ten.

Why Password Managers Matter

A password manager solves the impossible equation: strong, unique passwords for every service, without needing superhuman memory.

**What it does**:

- Generates strong random passwords (no more "Company123!")

- Stores them securely in an encrypted vault

- Auto-fills login forms so you don't have to type

- Syncs across all your devices

- For teams: shares passwords without exposing them in plain text

**What it prevents**:

- Password reuse (the number one cause of account takeovers)

- Weak passwords that can be guessed or cracked

- Passwords lost when staff leave

- Passwords floating around in emails and messages

Choosing a Password Manager for Your Team

The Main Contenders

**1Password Business** - From £6.50/user/month

- Excellent interface, easy for non-technical staff

- Vaults for teams, projects, and individuals

- Watchtower alerts for compromised passwords

- Travel Mode to hide sensitive data at borders

- *Best for*: Teams wanting polish and ease of use

**Bitwarden Teams** - From £3.50/user/month

- Open source and independently audited

- Self-hosting option for the security-conscious

- Does everything you need at half the price

- Interface is functional rather than pretty

- *Best for*: Budget-conscious teams, or those wanting self-hosted

**Dashlane Business** - From £6/user/month

- Includes VPN (handy for remote workers)

- Built-in dark web monitoring

- Comprehensive admin controls

- Slick interface

- *Best for*: Teams wanting extras bundled in

**LastPass Business** - From £5.70/user/month

- Long-established, widely used

- Good admin features

- *Caveat*: Has had security incidents. They've improved, but it's worth noting

- *Best for*: Teams already using LastPass who don't want to migrate

**Keeper Business** - From £3.75/user/month

- Strong security focus

- Good compliance features

- BreachWatch dark web monitoring

- *Best for*: Regulated industries needing compliance documentation

Feature Comparison

| Feature | 1Password | Bitwarden | Dashlane | LastPass | Keeper |

|---------|-----------|-----------|----------|----------|--------|

| Monthly cost/user | £6.50 | £3.50 | £6 | £5.70 | £3.75 |

| Shared vaults | ✓ | ✓ | ✓ | ✓ | ✓ |

| Password generator | ✓ | ✓ | ✓ | ✓ | ✓ |

| Browser extension | ✓ | ✓ | ✓ | ✓ | ✓ |

| Mobile apps | ✓ | ✓ | ✓ | ✓ | ✓ |

| Dark web monitoring | ✓ | Paid addon | ✓ | ✓ | ✓ |

| Self-host option | ✗ | ✓ | ✗ | ✗ | ✗ |

| SSO integration | Enterprise | Enterprise | Business | Business | Business |

| Breach history | Clean | Clean | Clean | Yes (improved since) | Clean |

Setting Up Your Password Manager

Step 1: Choose Your Champion

Pick someone to own the rollout. They don't need to be technical, just organised and patient. This person will:

- Set up the admin account

- Create the folder/vault structure

- Invite team members

- Provide support during transition

- Handle offboarding

Step 2: Plan Your Vault Structure

Before you start, decide how you'll organise passwords. A typical small business structure:

```

📁 Company Vault (Everyone)

├── Social Media (Marketing team)

├── Website & Hosting (Tech/management)

├── Finance & Banking (Finance team only)

├── Suppliers (Relevant staff)

└── Internal Tools (All staff)

📁 Team Vaults

├── Sales Team

├── Operations Team

└── Management

📁 Personal Vaults (Each employee has their own)

```

Step 3: Start with Low-Risk Passwords

Don't migrate your banking passwords on day one. Start with:

- Social media accounts

- Newsletter tools

- Low-sensitivity supplier accounts

This lets people learn the system before trusting it with critical credentials.

Step 4: Roll Out to Your Team

1. **Send invites** through the password manager's admin console

2. **Provide clear setup instructions** (screenshots help)

3. **Hold a brief training session** (15-30 minutes is enough)

4. **Set a deadline** for everyone to be using it

5. **Be available** for questions in the first week

Step 5: Migrate Critical Passwords

Once everyone's comfortable:

- Banking and finance

- Domain registrar

- Hosting and infrastructure

- Email admin accounts

- Anything that would cause serious damage if compromised

Shared Vaults: Doing Them Right

The Golden Rules

**1. Need-to-know access**

Don't put everyone in every vault. Sales doesn't need banking passwords. Marketing doesn't need server credentials.

**2. Separate individual and shared**

Personal passwords (someone's LinkedIn login) stay in personal vaults. Company passwords (the company LinkedIn page) go in shared vaults.

**3. Document what's where**

Maintain a simple list of which vault contains what category of passwords. When someone needs access, you'll know where to look.

**4. Review access quarterly**

People change roles. Projects end. Do a quarterly audit of who has access to what.

Handling Shared Account Credentials

Some accounts can only have one login (old software, utility accounts, legacy systems). For these:

- Store in appropriate team vault

- Note in the password entry who typically uses it

- Consider whether the service offers multi-user plans

- Enable two-factor authentication where possible (store backup codes in the entry)

Two-Factor Authentication (2FA)

A password manager is half the security equation. The other half is two-factor authentication.

2FA in Your Password Manager

Most password managers can store TOTP (time-based one-time password) codes—those 6-digit codes that change every 30 seconds.

**Pros of storing 2FA in password manager**:

- Everything in one place

- Codes auto-fill just like passwords

- No fumbling with separate authenticator app

- Codes are backed up (lose your phone, you're still fine)

**Cons**:

- All eggs in one basket

- If someone compromises your vault, they have passwords AND 2FA codes

**Our recommendation**: Store 2FA codes in your password manager for most accounts. For truly critical accounts (banking, domain registrar), use a separate authenticator app on a second device.

Offboarding: When Staff Leave

This is where password managers earn their keep. Without one, offboarding is a nightmare of changing passwords across dozens of services. With one:

Immediate Steps (Day of Departure)

1. **Remove their access** to the password manager immediately

2. **Review which vaults** they had access to

3. **Transfer ownership** of any items they created, if needed

4. **Revoke their sessions** (most password managers let you force logout all devices)

High-Priority Password Changes

Change passwords for services where the departing employee:

- Had admin access

- Could cause significant damage

- Had access to sensitive data

Typically:

- Banking and finance systems

- Domain registrar and hosting

- Social media accounts they managed

- Any system with customer data

- Email admin accounts

Lower Priority (But Still Do It)

Over the following week, change:

- General SaaS tools they used

- Supplier accounts

- Internal systems

The Not-So-Secret Advantage

With a password manager, you know exactly which passwords the leaver had access to. No guessing, no spreadsheets, no asking around. The audit trail is built in.

Common Mistakes to Avoid

Mistake 1: Making the Master Password Weak

Your master password is the key to everything. Make it strong:

- At least 16 characters

- A passphrase works well: "correct-horse-battery-staple" style

- Something you can remember without writing down

- NOT reused from any other service

Mistake 2: Not Enabling 2FA on the Password Manager Itself

If someone gets your master password, 2FA is your last line of defence. Enable it.

Mistake 3: Storing Recovery Codes Insecurely

Two-factor recovery codes should be stored safely—printed and locked away, or in a separate secure location. Not in the same password manager they unlock.

Mistake 4: No Emergency Access Plan

What happens if the person who manages the password manager is hit by a bus? Most password managers have emergency access features:

- Designate a recovery contact

- Set up emergency kit with recovery keys

- Store admin credentials in a physical safe

Mistake 5: Letting Browser Save Passwords

If you're using a password manager, disable browser password saving. Having passwords in two places defeats the purpose.

**Chrome**: Settings → Passwords → Offer to save passwords: Off

**Firefox**: Settings → Privacy & Security → Logins and Passwords: uncheck

**Safari**: Safari → Preferences → Passwords: uncheck AutoFill

**Edge**: Settings → Profiles → Passwords → Offer to save passwords: Off

Security Settings Worth Enabling

Vault Timeout

Set how long until the vault locks after inactivity:

- On shared computers: 5 minutes

- On personal devices: 15-30 minutes

- Never set to "never" on shared devices

Clipboard Clearing

Pasted passwords should be cleared from clipboard automatically. Most password managers do this after 30-60 seconds.

Breach Monitoring

Enable notifications for when passwords appear in known data breaches. Act on these alerts promptly.

Activity Logs

For team plans, enable audit logs. Useful for security reviews and investigating incidents.

Getting Your Team On Board

The biggest challenge isn't technical—it's people. Here's how to get buy-in:

Address Common Objections

**"I can remember my passwords fine"**

Yes, because you're using the same one everywhere. That's the problem.

**"It's too complicated"**

It's actually easier. You remember one password and the manager handles hundreds.

**"What if I forget my master password?"**

You write it down and store it somewhere safe (at home, not at work). Or use a passphrase that's memorable.

**"I don't trust putting all passwords in one place"**

Your current system (email, spreadsheets, memory) is far less secure than an encrypted, audited password manager.

Make It Easy

- Install the browser extension and mobile app for everyone

- Pre-fill the shared vaults before rollout

- Create a cheat sheet for common tasks

- Offer one-to-one help for anyone struggling

Lead by Example

If management doesn't use the password manager, nobody else will. Make sure leadership is visibly on board.

A Quick Start Guide for This Week

**Monday**: Choose a password manager and sign up for a trial

**Tuesday**: Set up the admin account and vault structure

**Wednesday**: Migrate your own passwords to learn the system

**Thursday**: Invite two or three early adopters

**Friday**: Gather feedback and adjust

**Next Week**: Roll out to the full team

**Month One**: Migrate all business-critical passwords

The Bottom Line

A password manager isn't just a nice-to-have—it's essential security infrastructure for any business, no matter how small. The investment is minimal (£3-7 per person per month), and the alternative—a breach from a compromised password—could cost thousands.

Your future self, dealing with a clean offboarding or avoiding an account takeover, will thank you for making the switch.