Network security
Me pēhea te kōwhiri i tētahi pūwhakahaere kupuhipa

How to choose a password manager

Using a password manager is an easy way for you and your staff to keep track of all the different passwords used to access your business programmes, services and systems. The right password manager will be easy to use and provide the appropriate level of security for your business and staff. The following guide is designed to provide you with more context to make those decisions.

5 min read

What to consider when choosing a password manager

Before introducing any new system, it's a good idea to understand the people, processes, and technology that are involved.

Be sure to think about how a password manager will be used by your people, and how giving, changing or removing access to systems works in your business.  

Consider the sensitivity of the data or information you are protecting, how many staff you have and how many accounts they need to access.   

Things to watch out for 

Not all password managers are made equal – here’s what to watch out for:

  • Check out a range of reviews and research the security history of the product.  Bear in mind that when searching for a password manager on the internet the products that appear first in your search aren’t necessarily the most highly recommended.  
  • What privacy and security protections does the product provide to protect the passwords you’ll store in the password manager?
  • Has the brand or password manager had a data breach before? How did they handle the data breach?
  • If you decide to change services, does the product provide a way to extract or migrate your stored passwords in bulk (and if so, how is this protected to avoid it being used maliciously by attackers)?

Features to look for

There are some valuables features you should look for:

  • Does the password manager include additional services such as monitoring for data breaches?  
  • Does the password manager offer two-factor (2FA) or multi-factor (MFA) authentication? There are many forms of 2FA but having some form of 2FA or MFA on your password manager is important.  
  • Does the password manager provide transparency about its security policies and practices (like recent security audits)?

Some password managers also offer features like:

  • dashboards to monitor usage across your organisation
  • user management options – for example, multiple roles that offer different levels of access
  • policy management – for example, mandatory 2FA or a restriction on who can reset a master password.
  • security features like detailed access logs, the ability to integrate with an identity management system, or integration with popular cloud services

Cloud, local or in-browser?  

There are three main types of password managers, cloud-based, local drive based, or browser based. They all work slightly differently to store and secure your passwords. When choosing what one is right for your business, you need to assess the benefits, risks, and how your staff will be using it.  

Cloud-based password managers

  • Store your passwords in the cloud, meaning they can be accessed from multiple devices. This is a real advantage if you do a lot of work on your laptop and mobile phone. But it means you need to be careful – only access your password manager on trusted devices and browsers – and be sure to enforce 2FA for access.
  • Often allow you to share specific passwords when necessary. This can be useful if there are accounts – for example, for social media – that several staff members need access to.
  • May also offer the option for your staff to create their own 'safe' within the password manager to store their personal passwords in.
  • Tend to offer a range of other optional add-ons.

Local drive-based password managers

  • Store your passwords on your computer’s local drive. This means an attacker could only access them if they managed to get access to your computer – if you left it unattended and unlocked, for example, or if they managed to work out your computer password.
  • Can be a good option if you have a lot of financial trading or bank account passwords.
  • Rely on you making regular back-ups to your computer to keep the passwords secure.
  • Don't let your staff access their password manager from home or on a mobile device, so it’s less useful if you offer flexible working.

Browser-based password managers

  • Are built into your browser, such as Microsoft Edge or Google Chrome.
  • Are easy to use – a message just pops up when you log in to a website asking if you want the browser to save your password.
  • Some may not offer the same level of security protection, or other features that make them easy to use.
  • Store your passwords locally on your computer (unless your browser is synced to your other devices, in which case the passwords can be accessed from them as well) – so an attacker could only access your browser-based passwords if they managed to get access to your computer. For example, if you left it unattended and unlocked, or if they managed to work out your master password.