Password management
Passwords are the front door to everything your company runs on. Email, cloud infrastructure, source code, databases, financial systems — all of it is protected, first and foremost, by a password. Before firewalls, before encryption, before any other security control: if someone gets the password, they get in.
That's why password management isn't a nice-to-have. It's the foundation everything else is built on. You can have the best security tools in the world, but if your team reuses passwords, stores credentials in Slack, or shares the AWS root account via a Google Doc, those tools don't matter.
When security researchers analyze breaches at small companies, the same patterns show up repeatedly:
- Someone reused their personal email password for a work account
- A shared credential was stored in a Slack channel, and someone's account got compromised
- An ex-employee's password still worked six months after they left
- The AWS root account password lived in a Google Doc
These aren't sophisticated attacks. They're opportunistic. And they're preventable with one tool: a password manager.
Personal password manager vs. business password manager
Most developers already use a personal password manager. That's good. But a personal tool — even a good one — isn't built for company use.
Here's the difference:
A personal password manager is designed for one person managing their own accounts. It stores your passwords, syncs across your devices, and maybe lets you share a few items with a partner. That's the entire scope.
A business password manager is designed for teams, roles, and operational continuity. The feature set is fundamentally different because the problem is different:
| Personal | Business | |
|---|---|---|
| Users | One person | Teams, departments, the whole company |
| Sharing | Simple share links | Shared vaults with role-based access |
| Offboarding | Not applicable | Revoke access instantly across all systems |
| Audit | None | Full log of every action, by every user |
| Administration | None | Central admin console, policy enforcement |
| Compliance | None | Audit reports, access reviews, GDPR tooling |
| DevOps | None | CLI, API, CI/CD pipeline integration |
Who actually uses a business password manager
A business password manager isn't just for the people storing passwords. It serves several distinct roles:
Employees — store and retrieve their own credentials, access shared vaults they've been granted permission to, use browser extensions and mobile apps.
Administrators — manage user accounts, create vault structures, set password policies, enforce MFA, handle onboarding and offboarding, review who has access to what.
Security specialists — run access audits, review the full activity log, identify weak or reused passwords across the organization, check which credentials haven't been rotated.
Auditors — pull compliance reports, verify that access controls are applied correctly, confirm that sensitive systems are protected per policy.
DevOps engineers — retrieve secrets programmatically via CLI or API for CI/CD pipelines, inject credentials into containers without hardcoding them, rotate secrets without touching deployment configs.
Why personal tools don't scale
The offboarding problem alone makes personal tools impractical for business. When someone leaves the company:
- Their personal password manager account goes with them. If they stored company credentials in it, those credentials are still sitting in their vault.
- Shared credentials sent via email or Slack are unrevokable — there's no way to know what was forwarded.
- You can't get a list of what they had access to, because there's no central record.
With a business password manager, offboarding is one action: deactivate the account. Access to every shared vault is revoked immediately. The audit log shows every credential they accessed. You get a list of shared passwords they knew — and can rotate the ones that matter.
The same logic applies to access audits. Before a business password manager, "who has access to production AWS?" is a question you answer by asking people. After, it's a query.
Which password manager to use
This course is brought to you by Passwork, and it's what we recommend.
Passwork is a business password manager built around two core principles: zero-knowledge encryption and full control over your data. Here's what that means in practice:
Deployment options. Passwork comes in two flavors:
- On-premise — installed on your own servers. Your passwords never leave your infrastructure. Full data sovereignty. Good for regulated industries, companies with strict security policies, or anyone who doesn't want to trust a third-party cloud with credential storage.
- Cloud — hosted by Passwork. Faster to set up, no infrastructure to maintain. Still zero-knowledge — Passwork can't access your data even in the cloud version.
Security architecture. AES-256 and RSA encryption. Client-side encryption means passwords are encrypted before they leave your device. ISO 27001 certified. Independently tested by HackerOne. GDPR compliant. Trusted by government agencies and regulated organizations across Europe.
Team and admin features. Shared vaults with granular permissions, role-based access control, audit logs, compliance reports, Active Directory and LDAP integration, SAML SSO. Scales from 10 to 30,000+ users without needing to change tools.
DevOps integration. CLI for CI/CD pipelines, Python SDK, Docker and Kubernetes secret injection. If your team does deployments, Passwork can replace hardcoded credentials in your pipelines entirely.
Pricing. Standard plan starts at €3/user/month (billed annually). Independent research shows 30% lower total cost of ownership compared to comparable tools. Free trial available, no credit card required.
Don't use browser-only password storage — it doesn't support sharing or team management, and you lose access control when someone leaves.
Rolling out a password manager
Week 1: Setup
Create the team account. Set up the admin console. Create shared vaults for different purposes:
- A vault for infrastructure credentials (AWS, cloud providers, hosting)
- A vault for shared services (social media accounts, analytics, shared tools)
- A vault for each team if needed
Configure the security settings: require master password strength, enable 2FA for the password manager itself.
Week 2: Migration
Start with yourself. Move all your work passwords into the manager. Install the browser extension. Get comfortable with the workflow.
Then do the same for any shared credentials you know about. That AWS root account password in the Google Doc? Move it to the password manager and delete it from the doc.
Week 3: Team rollout
Invite team members. Run a 15-minute session showing how it works:
- How to install the extension
- How to save new passwords
- How to access shared vaults
- How to generate strong passwords
Give people a week to migrate their own passwords. Follow up with anyone who's struggling.
Week 4: Enforcement
Start requiring the password manager for new accounts. When someone needs access to a shared tool, they get it through the password manager, not through Slack or email.
Common objections
"I can remember my passwords"
You're probably reusing them. The password manager also lets you revoke access when someone leaves — which you can't do if credentials are in people's heads.
"It's inconvenient"
There's a learning curve, but it's about a week. After that, it's actually faster — you don't have to type passwords, and you never forget them.
"What if the password manager gets hacked?"
Your passwords are encrypted with your master password before they leave your device. Even if the server is breached, attackers get encrypted blobs they can't decrypt. That's better than passwords in a Google Doc.
Password policy
You need a written password policy. It should be one page, not ten.
Password policy
Password requirements:
- All work accounts must use passwords generated by the company password manager
- Minimum 16 characters (the password manager handles this automatically)
- No password reuse across accounts
Password manager:
- All employees must use Passwork for work passwords
- Master password must be at least 16 characters
- Never share your master password with anyone
Multi-factor authentication:
- MFA is required for all critical systems (see MFA chapter)
- Use TOTP apps, not SMS, where possible
- Store backup codes in the password manager
Shared accounts:
- Shared credentials must be stored in the password manager, never in documents or chat
- Access to shared accounts is reviewed quarterly
That's it. One page. People will actually read it.
Self-check
Before moving on, verify you've completed these items.
- Team account created (Passwork on-premise or cloud)
- Vault structure set up (infrastructure, shared services, teams)
- Security settings configured (master password requirements, 2FA on the manager)
- Your own passwords migrated
- At least one shared credential moved from Slack/docs to password manager
- Browser extension installed and working
- Invite sent to at least one other team member
- Password policy written (one page)
If you can check off at least 6 of these 8 items, move on.
What's next
Passwords sorted. Next: multi-factor authentication — adding a second layer so stolen passwords alone aren't enough to break in.