Of all the security tools we recommend to small business clients, a password manager is the one that pays for itself fastest. It solves the "I have 47 passwords and they're all variations of my dog's name" problem in about a day, and it dramatically lowers the odds that a breach on one website turns into a breach on every account you own.

This post is what we tell every new client when we look at how they're handling logins.

What a Password Manager Actually Does

It generates and remembers a unique, strong password for every site you use, autofills logins, and lets you securely share passwords with employees without anyone seeing the actual characters. The only password you have to remember is the one master password for the manager itself.

Most of them also do:

  • Audits of which passwords are weak, reused, or have shown up in known breaches
  • Secure notes (for things like WiFi passwords, software license keys, server credentials)
  • Two-factor authentication code storage (so the manager handles both factors)

Why Sticky Notes and Spreadsheets Don't Cut It

Here are the most common password setups we see when we walk into a small office for the first time:

  • A sticky note on the monitor (anyone walking past sees it)
  • A spreadsheet on the desktop named "passwords.xlsx" (the first thing malware looks for)
  • "Password1!" with the number changing every quarter (catastrophically weak and reused)
  • A Word doc shared with the staff (no audit, no encryption, no version control)

None of those scale, none of them are safe, and all of them disappear the day the computer dies.

What We Recommend

For most small businesses around here, one of these:

Bitwarden — Free for personal use, very low cost for teams. Open-source, can be self-hosted if you want full control. This is what we use ourselves.

1Password — Paid only, but polished and very small-business-friendly. Their team features are excellent. Worth the money if you want zero friction.

Built-in browser managers (Chrome, Edge, Safari) — Better than nothing, but limited. They only work in that browser, can't share with employees properly, and aren't a great fit for a multi-device, multi-person business.

Setting It Up for a Small Office

The migration is easier than people expect. Here's the rough plan we use with clients:

  1. Pick a manager. Don't agonize — they all do the basics well. Bitwarden or 1Password are both fine.
  2. Set a strong master password. This is the only one you need to remember. Make it a passphrase — four random words is better than P@ssw0rd!.
  3. Install on every device. Browser extension, phone app, anywhere you log in.
  4. Migrate gradually. Don't try to do all 47 sites at once. As you log into each site over the next month, save the credentials, change weak passwords to generated strong ones, and move on.
  5. Audit. After a month, run the manager's built-in audit. Replace any reused or breached passwords.

A Note on Shared Business Credentials

The bookkeeper needs the QuickBooks login. The marketing person needs the social media password. The new hire needs the office WiFi password. Today, these things probably get texted around, written down, or shared by email. A password manager has shared "vaults" or "collections" for exactly this — change a password once, and everyone who needs it sees the new one automatically. Nobody types it in.

Quick Check Before You Call Open your browser's saved passwords page (chrome://settings/passwords on Chrome). Look at the list. If you see the same password used on three or more sites, you're a target. A single breach on the weakest of those sites compromises all of them.

When It's Time to Get This Set Up

We help clients set up password managers as part of a security review. The whole thing takes a couple of hours, and it pays itself back the first time it stops you from getting locked out of an account at the worst possible moment.