Password managers: The single best security upgrade for your business

If you had to pick one security tool that delivers the most protection per dollar spent, it's a password manager. Not a firewall. Not a fancy antivirus suite. A password manager. The reason is straightforward: the vast majority of business breaches don't start with sophisticated hacking — they start with someone reusing a password from a site that got breached years ago.

According to the Verizon Data Breach Investigations Report, stolen or weak credentials are involved in over 80% of hacking-related breaches. That's not a new finding — it's been consistently true for years, and it's still not fixed. The solution is dead simple and it costs almost nothing to implement.

Why password reuse is a bigger problem than you think

Most people know they shouldn't reuse passwords. Almost everyone does it anyway. The problem isn't ignorance — it's that remembering dozens of unique, complex passwords is genuinely impossible without help.

Here's what actually happens: a staff member signs up for some third-party service — a webinar platform, a freelance marketplace, an industry forum — using their work email and a password they also use elsewhere. That service gets breached (these happen constantly — check Have I Been Pwned to see how many times your email has appeared in a known breach). Attackers take that credential dump and run automated tools against other services — your email, your CRM, your accounting software. This is called credential stuffing, and it's largely automated and cheap to run at scale.

The fix isn't telling people to use better passwords. That doesn't work. The fix is removing the cognitive burden entirely by giving them a tool that generates and stores unique, complex passwords for every single account.

What a password manager actually does

A password manager stores all your credentials in an encrypted vault — locked behind one strong master password (and ideally 2FA on top of that). Browser extensions auto-fill logins. Mobile apps handle your phone. You never have to remember or type a password again, except the one master password to unlock your vault.

For businesses, team-focused password managers add shared vaults — so you can give staff access to the company social accounts, for example, without ever revealing the actual password. When someone leaves, you revoke their access. No need to rotate every shared credential manually.

The other underrated benefit: they generate passwords. Instead of "Summer2024!" you get something like "X7$mK#qP2nLw9vRt" — a randomly generated, unique credential that's never been used anywhere else and can't be guessed or brute-forced in any practical timeframe.

Bitwarden vs 1Password vs Dashlane — an honest comparison

Bitwarden — best value, open source

Bitwarden is open source, which means its security model can be audited by anyone. That's a genuine trust advantage. The free tier is actually usable for individuals, and the Teams plan runs around NZD$6–7 per user per month. It's not the slickest interface, but it's solid, audited, and the transparency of open-source code matters for a security tool.

1Password — best polish, best business features

1Password is the most polished option and the one most larger businesses default to. The Teams plan runs around NZD$8–10 per user per month. Features like Travel Mode (hide specific vaults when crossing borders), detailed audit logs, and a slick admin console make it worth the small premium for teams that need visibility and control. Their browser extension and mobile apps are excellent.

Dashlane — strong security features, higher cost

Dashlane includes built-in dark web monitoring and a VPN, which sounds appealing until you realise bundled VPNs are rarely the quality you'd want for actual privacy. It's more expensive than the alternatives and the extras aren't particularly compelling for most small businesses. Not a bad product, just harder to justify the cost.

How to actually roll this out across your team

The technical setup takes less than an hour. The harder part is getting people to actually use it. Here's a realistic approach:

1. Start with the admin account. Set up the organisation, configure your security policies (minimum password length, 2FA requirement), and test the experience yourself before rolling it out.
2. Invite in batches, not all at once. Send invites to a small group first, work out any friction points, then roll to the full team. If everyone hits the same confusion simultaneously, it becomes a support nightmare.
3. Give people a specific task on day one. Don't just say "use this from now on." Ask everyone to migrate their top five most-used work credentials within the first week. Low bar, concrete outcome.
4. Create shared vaults for shared accounts. Social media, billing portals, shared tools — these go into a shared vault with appropriate access levels. This alone removes most of the "I need that password" friction.
5. Enforce it for new accounts from day one. If anyone sets up a new work account without using the password manager to generate the credential, it needs to go back in and get updated. This habit is the whole point.

Most teams are fully functional with a password manager within a week. The productivity gain from not resetting forgotten passwords alone will offset the subscription cost within the first month.

The master password problem — and how to solve it

The one legitimate concern with password managers is single point of failure: if your master password is compromised, everything is compromised. This is real but manageable.

First, enable 2FA on your password manager vault — this is non-negotiable. Even if someone has your master password, they can't get in without your authenticator app. Second, make the master password genuinely strong — a passphrase of four or five random words is memorable and extremely hard to crack. Something like "tangerine-frost-orbital-desk" is far more secure than "P@ssword123" and much easier to remember. Third, store your emergency recovery kit somewhere physically secure — most password managers give you an emergency sheet when you set up an account. Print it, put it somewhere safe, and don't lose it.

There's no reasonable argument for not using one. The cost is negligible, the setup is straightforward, and the risk reduction is immediate. If your team is still managing credentials in a shared spreadsheet, a notes app, or their own heads — that's a breach waiting to happen. Fix it this week.