Choosing a password manager for your SMB: what really matters?

Choosing a password manager isn't a matter of taste — but it's not rocket science either. A practical guide for business owners without an IT department.

Almost every business owner we talk to already knows that a password manager isn't a luxury. Yet in practice we see the decision either getting put off for years, or made in five minutes based on a podcast ad. Neither works. In this post we walk through what really matters when choosing a password manager for a business of 5 to 50 people.

What a password manager should do — and what it shouldn't

The basics are simple: one place where all passwords live, secured with a strong master password and two-factor authentication. Everyone gets their own vault, plus there are shared vaults for team accounts (think the info@ mailbox, the accounting software, or the company LinkedIn account).

What a password manager should not be: a dumping ground for random documents, a replacement for your IAM tool, or an excuse to share passwords that should really have stayed personal. Keep that line clear and the tool stays manageable.

The five criteria that actually matter

1. Real team functionality — not a family plan

Many small businesses start with a family plan from a consumer password manager. That works up to your fifth employee, and then it doesn't. You want role-based access, shared vaults per department, and the ability to revoke someone's access in a single click. Check whether you can group users and whether you can see who has access to which vault.

2. A clean offboarding flow

When someone leaves, you need to be able to block their access and rotate the shared passwords within a few minutes. Not all managers make that equally straightforward. Ask for a demo and have them walk through the scenario "employee is leaving today." If it looks messy, move on.

3. Logging and audit trail

Who viewed which password, and when? For a GDPR incident, a suspected data breach, or simply an access review, you need to be able to demonstrate this. An audit log isn't a luxury — it's evidence.

4. SSO and SCIM (if you can afford it)

If you're running Microsoft 365 with a decent licence, you'll want to connect your password manager to Entra ID. New employee added in Entra? Automatically gets an account in the password manager. Leaves the company? Automatically removed. This usually sits in a higher-tier plan, but saves a huge amount of manual work. For small teams it's overkill; from around 15 people it starts to pay off.

5. Where your data is stored

The major players use zero-knowledge encryption, meaning the vendor itself cannot see your passwords. Good. Also look at where the encrypted data is stored (EU is a plus for GDPR compliance) and how the vendor handles incidents. A past data breach isn't an automatic disqualifier — how they responded says far more.

The practical questions nobody ever asks

Beyond those five criteria, there are a few very basic questions you absolutely must ask during a demo:

• Does it work on everyone's phone? iOS and Android both — and does the app recognise your credentials inside other apps?
• What if someone forgets their master password? Is there a recovery flow, or is everything lost? And what does that mean for you as the administrator?
• How easy is bulk import? You'll need to migrate 80 passwords from a spreadsheet or another tool without spending an entire evening on it.
• Can you enforce separate 2FA per vault? Master password plus 2FA is the baseline, but for the real crown jewels you want an extra lock.

What we see working in practice

For most SMBs, this setup works well:

1. One password manager for the whole company — not three different ones per department.
2. A personal vault per employee — including for their private passwords, because otherwise they won't use it consistently.
3. Shared vaults per team or project, with clearly defined owners.
4. A separate vault for "admin / crown jewels" with very restricted access and extra 2FA.
5. A six-monthly check: who is in which vault, and does that still make sense?

That last step isn't overkill. It's exactly why we so often find forgotten accounts at client sites — forgotten because no one ever looks.

The biggest pitfall: rolling it out without a plan

Picking the tool is the easy part. The rollout is where things go wrong. People keep using their old spreadsheet "until things quieten down," or carry on saving passwords in their browser. So plan at least one joint session where everyone actually enters their first twenty passwords into the manager. And agree on a date: from day X, the spreadsheet, sticky notes, and browser storage are gone.

A password manager is one of those investments you look back on and think: I should have done this sooner. But only if you actually use it.

Want the bigger picture — how shared accounts stay secure, how to roll out 2FA, and how to manage access properly as people join and leave? Take a look at our 2FA implementation and access check services. We don't just help you choose — we help you actually get it done.