Everyone knows passwords are a problem. People reuse them. They write them on sticky notes. They make them “Spring2025!” and think that’s secure because it’s got a capital letter and a symbol.

Password managers solve most of this. But choosing one and actually getting your team to use it? That’s where it gets tricky.

Why You Actually Need One

Let me give you a scenario that happens constantly:

An employee signs up for a free tool using their work email and a password they use everywhere. That tool gets breached six months later. The employee has forgotten they even signed up. An attacker tries that email/password combination on Microsoft 365. It works. They’re in.

Password managers prevent this by:

• Generating unique, complex passwords for every account
• Storing them securely so people don’t need to remember them
• Making it obvious when a password has been reused or compromised
• Providing secure sharing so people aren’t texting passwords to each other

The ACSC recommends password managers as part of implementing strong authentication. Your cyber insurance questionnaire probably asks about them too.

What to Look For

Not all password managers are created equal. For a small business, here’s what matters:

Business-grade sharing. You need to share certain passwords - social media accounts, shared tools, emergency access. Consumer password managers either don’t support this or make it clunky. Business versions have proper folder sharing and role-based access.

Admin controls. Can you see who has access to what? Can you revoke access when someone leaves? Can you enforce password policies? If not, keep looking.

Breach monitoring. Good password managers will tell you when a saved password appears in a known breach, prompting an immediate change.

Browser integration. Your team will only use it if it’s easy. Auto-fill in browsers is essential.

Mobile apps. People access work systems from phones. The password manager needs to work there too.

Australian data residency. Some businesses, especially those handling sensitive data, want guarantees about where their encrypted vaults are stored.

The Main Options

1Password Business - My usual recommendation for small businesses. Clean interface, excellent sharing features, good admin controls. About $11 AUD per user per month.

Bitwarden Teams - The open-source option. Cheaper ($5 AUD/user/month), self-hosting available if you want it, and audited security. Interface is less polished but perfectly functional.

LastPass Teams - Used to be the default recommendation until they had multiple serious breaches. I’d avoid them now, but if you’re already using them, migrating isn’t urgent - just wouldn’t start new with them.

Dashlane Business - Solid option with a built-in VPN. More expensive ($10+ AUD/user/month) and the VPN feature is unnecessary if you already have one.

Keeper Business - Strong security focus, good for compliance-heavy industries. Interface feels a bit dated.

For most small businesses, 1Password or Bitwarden are your best bets. The choice usually comes down to whether you want a more polished experience (1Password) or a more budget-friendly option (Bitwarden).

Rolling It Out

This is where most businesses fail. They buy the subscription, send an email saying “use this,” and wonder why adoption is 30% six months later.

Here’s how to do it properly:

Week 1: Admin setup

• Set up the business account
• Configure security policies (minimum password length, 2FA requirements)
• Create folder structures for different teams or departments
• Import any existing shared passwords

Week 2: Pilot group

• Start with 3-5 tech-comfortable staff
• Help them install browser extensions and mobile apps
• Have them import their personal passwords (yes, offer to manage personal passwords too - it increases adoption)
• Gather feedback on pain points

Week 3-4: Full rollout

• Schedule 30-minute group training sessions
• Cover installation, basic usage, and password generation
• Show how to save new passwords as they log in
• Emphasise that they don’t need to change everything at once - just start using it for new passwords

Ongoing: Monitor and support

• Check the admin dashboard to see adoption rates
• Follow up individually with people who haven’t installed it
• Address problems promptly - frustrated users will find workarounds

Common Objections (And How to Handle Them)

“What if the password manager gets hacked?” Good password managers use zero-knowledge architecture - they can’t see your passwords even if they wanted to. Your vault is encrypted with a key derived from your master password, which they never have. A breach of their servers would get attackers encrypted blobs they can’t read.

“I can’t remember another password.” You only need to remember one - the master password. Make it long (a passphrase like “purple-elephant-dancing-awkwardly” is better than “P@ssw0rd!”). Everything else, the manager remembers.

“It’s slower than just typing my password.” Initially, maybe. But browser auto-fill is actually faster once you’re used to it. And more importantly, you’re not spending time on password resets because you forgot something.

“What if I lose access to the manager?” Set up emergency access or recovery options. Most business plans let admins reset user access. Keep your master password written somewhere secure (a physical safe, not a sticky note).

Getting People to Actually Use It

The hard truth: you can’t force password manager adoption without also changing how systems accept logins.

But you can make it the path of least resistance:

• Include it in onboarding. New hires set up the password manager on day one, before they create any passwords.

• Use it yourself, visibly. When someone asks you for a shared password, pull up the password manager in front of them. Model the behaviour you want.

• Share passwords only through the manager. Stop texting, emailing, or Slacking passwords. If someone needs access, share it properly.

• Praise good behaviour. When you see someone using it correctly, acknowledge it. People repeat what gets noticed.

• Address the holdouts. Some people will resist anything new. Have direct conversations about what’s blocking them. Sometimes it’s a genuine technical problem. Sometimes they just need to know it’s not optional.

What About Built-in Browser Password Managers?

Chrome, Safari, and Edge all have built-in password managers. They’re better than nothing, but they have limitations:

• No proper business sharing
• Limited admin visibility
• Tied to one browser
• No secure notes or other data types

If someone’s using their browser password manager, that’s actually a decent starting point - you can often import those passwords into a proper business manager.

Password hygiene across a team is one of those unglamorous security wins that makes a real difference. It’s not exciting. It won’t make headlines. But it quietly prevents a huge category of attacks.

Just do it.