Skip to main content

The Pros and Cons of Using a Password Manager

Media 7 Smart Ways to Secure Your Wireless Printer & Keep Your Home Network Safe

Is a Password Manager the Safest Way to Protect Your Business Accounts?

Most businesses now rely on dozens of online accounts.

Employees may need passwords for Microsoft 365, banking, accounting software, social media, cloud storage, customer databases, supplier portals and specialist business applications.

Remembering a different password for every account is difficult. As a result, employees may reuse passwords, create predictable variations or store login details in spreadsheets, notebooks and unsecured documents.

A password manager can provide a more secure and manageable alternative.

It stores login details inside a protected digital vault, allowing employees to use strong and unique passwords without needing to remember every one of them.

However, placing important credentials in one system naturally raises questions:

  • What happens if the password manager is compromised?
  • Could an attacker gain access to every saved password?
  • What if an employee forgets their main password?
  • Should businesses trust a cloud-based password manager?
  • Is a password manager still required when multifactor authentication is enabled?

Password managers can provide significant security benefits, but they must be carefully selected, configured and managed.

What is a password manager?

A password manager is an application or service used to generate, store and retrieve passwords.

The saved credentials are normally held inside an encrypted vault. The user accesses the vault using a primary password, which may also be called a master password.

Depending on the product, a password manager may also provide:

  • Automatic password generation
  • Website and application autofill
  • Password sharing
  • Multifactor authentication
  • Security reports
  • Compromised-password warnings
  • Shared business vaults Access controls
  • Administrator reporting
  • Emergency access
  • Passkey storage

The National Cyber Security Centre explains that password managers help users create and store account credentials securely while reducing the need to remember large numbers of passwords.

Why is password reuse dangerous?

Reusing the same password across several accounts creates a significant security risk.

If one website is compromised and the password is exposed, criminals can try the same email address and password on other services.

This is commonly known as credential stuffing.

For example, an employee may use the same password for a personal shopping account and a business application. If the shopping website is breached, the exposed password could potentially be used to access the business system.

Even small variations may not provide much protection.

Changing `Summer2025!` to `Summer2026!` is predictable. An attacker who has obtained an older password may try similar versions.

The NCSC recommends using a different password for each important account because a compromised password can otherwise provide access to several services.

The advantages of using a password manager

1. Employees can use unique passwords

The main advantage of a password manager is that employees no longer need to remember every login.

The password manager can generate a different password for each account and save it automatically.

This makes it practical to use passwords that are:

  • Long
  • Random
  • Difficult to guess
  • Different for every account
  • Unrelated to personal information

Without a password manager, employees often choose passwords that are memorable. Unfortunately, memorable passwords are frequently easier for attackers to predict.

The NCSC states that password managers make it easier for employees to use unique passwords and reduce their reliance on insecure workarounds.

2. Strong passwords can be generated automatically

A password manager can create complex passwords without requiring the employee to invent them.

For example, instead of using:

`CompanyName2026!`

the password manager may create a long, random password containing unrelated letters, numbers and symbols.

The employee does not need to type or remember it because the password manager can enter it when required.

This can improve password quality across the business and remove the temptation to use familiar names, dates or keyboard patterns.

3. Password managers can reduce phishing risk

Many password managers only autofill a login when the website address matches the one saved in the vault.

Imagine that an employee receives an email containing a link to a fake Microsoft 365 login page.

The page may look genuine, but the website address is different. A properly configured password manager may refuse to autofill the credentials because the domain does not match.

This can act as a useful warning that the employee may not be visiting the genuine website.

The NCSC identifies domain-matched autofill as a feature that can help protect users against phishing websites.

This protection should not replace employee awareness or email security, but it provides another useful layer.

4. Shared passwords can be managed more securely

Some business accounts are shared between several authorised employees.

Examples may include:

  • Social media accounts
  • Supplier portals
  • Website administration
  • Emergency administrator accounts
  • Shared service accounts
  • Certain financial systems

Without a password manager, the login may be sent through email, written in a document or shared through a messaging application.

This makes it difficult to control who has the password or identify where copies have been stored.

A business password manager can allow an authorised user to access a shared credential without necessarily revealing or manually copying the password.

Access can then be removed when the employee changes role or leaves the company.

Where possible, businesses should still create separate named user accounts rather than sharing credentials. Shared passwords should be limited to situations where the service does not support individual accounts.

5. Access can be removed more easily

When an employee leaves the business, somebody should remove their access to company systems.

If passwords have been shared informally, the organisation may need to change each one manually.

A centrally managed password manager can make this process easier.

The administrator may be able to:

  • Remove the employee from business vaults
  • Revoke their sessions
  • Transfer ownership of saved credentials
  • Check which shared items they could access
  • Rotate particularly sensitive passwords
  • Disable the user’s password-manager account

The NCSC recommends regularly reviewing who can access important business accounts and removing people who no longer require access.

A password manager does not replace a proper employee offboarding process, but it can make that process more controlled.

6. Weak and reused passwords can be identified

Many business password managers provide security reports that identify:

Reused passwords
Weak passwords
Old passwords
Credentials found in known breaches
Accounts without multifactor authentication
Unsecured shared passwords

This can help the organisation focus on the highest-risk accounts.

For example, the report may identify that the same password is being used for the company’s website, social media and supplier portal.

The business can then replace those credentials with separate passwords.

7. Passwords can be synchronised across devices

Employees increasingly work from several devices.

They may use a desktop in the office, a laptop at home and a mobile phone while travelling.

A cloud-based password manager can securely synchronise approved credentials across those devices.

This can reduce the likelihood of employees sending passwords to themselves or storing them in unsecured notes simply because they need access on another device.

The NCSC identifies cross-device synchronisation as an important benefit of cloud-based password managers, while also noting that cloud synchronisation creates additional security considerations.

8. It can improve productivity

Employees can lose time searching for passwords, requesting resets or becoming locked out of accounts.

Autofill and central password management can make signing in quicker.

An IT support team may also spend less time handling forgotten passwords and manually distributing shared credentials.

The greatest benefit is achieved when the password manager is simple enough for employees to use consistently.

A technically secure product that employees find too difficult may encourage them to return to insecure workarounds.

The NCSC specifically advises businesses to consider usability because employees may avoid a password manager that is difficult or inconvenient to use.

The disadvantages of using a password manager

1. The vault becomes an important target

A password manager can hold access to many business systems in one place.

This makes it valuable to attackers.

If a criminal gains access to an employee’s vault, they may obtain several passwords rather than only one.

The risk is especially serious when the vault contains:

  • Microsoft 365 administrator credentials
  • #Banking details
  • Backup administration passwords
  • Firewall logins
  • Domain registrar access
  • Cloud administrator accounts
  • Remote-access credentials

The NCSC recognises that password managers are natural targets because compromising one vault could provide access to all the passwords stored within it.

This does not mean password managers should be avoided. It means access to the password manager must be protected particularly carefully.

2. The primary password is extremely important

The main password protecting the vault must be strong and unique.

If an employee uses a weak primary password, an attacker may be able to guess it or obtain it through phishing.

The primary password should never be:

  • Used on another account
  • Shared with colleagues
  • Stored in an unsecured document
  • Sent through email
  • Based on the employee’s name
  • A predictable company password

The NCSC advises users to protect password-manager accounts with two-step verification so that knowing the primary password alone is not enough to access the vault.

For sensitive business vaults, a phishing-resistant authentication method or hardware security key may be appropriate where supported.

3. Forgetting the primary password can cause problems

Some password managers use a security design where even the provider cannot decrypt or recover the vault.

This can provide strong protection, but it also means forgetting the primary password may result in permanent loss of access.

Other business products offer administrator recovery, emergency access or account-reset options.

These features improve availability but may introduce additional risk if an administrator account is compromised.

The organisation must decide how to balance:

  • Strong encryption
  • Employee recovery
  • Emergency business access
  • Administrator control
  • Protection against misuse

The NCSC recommends understanding exactly how recovery works, who can initiate it and whether the provider can access encrypted credentials.

4. Password managers can contain software vulnerabilities

No application is completely free from security weaknesses.

Password managers can have vulnerabilities in:

  • Browser extensions
  • Desktop applications
  • Mobile applications
  • Cloud services
  • Synchronisation systems
  • Recovery processes
  • Third-party integrations

This is why the chosen password manager must be regularly updated and obtained from a reputable provider.

The business should review how the provider handles:

  • Security testing
  • Vulnerability reports
  • Encryption
  • Incident notifications
  • Independent audits
  • Data storage
  • Software updates
  • Access logging

The NCSC advises that password managers, like any other software, may contain vulnerabilities and should be assessed accordingly.

5. A provider could experience a security breach

Storing passwords in an online service means trusting the provider’s technology and security practices.

In December 2025, the Information Commissioner’s Office fined LastPass UK Ltd £1.2 million following an investigation into a 2022 breach affecting personal information associated with up to 1.6 million UK users.

The ICO stated that there was no evidence that customer passwords were decrypted, but the attacker obtained customer information and encrypted backup data. The incident illustrates why password-manager providers must be assessed carefully and why sensitive vaults require strong primary passwords, multifactor authentication and secure devices.

Importantly, the ICO continued to describe password managers as safe and effective tools while stressing that providers must implement appropriate security controls.

A provider breach does not automatically mean every vault has been opened, particularly where strong encryption and a zero-knowledge design are used. However, the event may still expose metadata and encrypted information to future attack attempts.

6. Employees may store passwords in the wrong place

Some password managers allow employees to maintain both personal and business vaults.

This can create confusion.

An employee could accidentally save a business password inside their personal vault. The organisation may then lose control of that credential when the employee leaves.

The reverse can also happen, with personal passwords being stored in a company-controlled vault.

Businesses should clearly separate personal and business credentials.

The NCSC recommends making it difficult for users to accidentally save work passwords in personal vaults or personal credentials in work vaults.

This should be supported by clear policies and employee training.

7. It creates dependence on one service

Employees may depend on the password manager to access most of their business systems.

If the service becomes unavailable, they may temporarily be unable to retrieve their credentials.

Possible causes include:

An internet outage
A provider outage
An expired subscription
A failed synchronisation
A damaged device
An account lockout
A browser-extension problem
An authentication-service failure

Businesses should understand what offline access is available and create an emergency-access process for essential credentials.

Critical recovery information should not depend entirely on the same system it is intended to recover.

For example, the password required to access the password manager’s emergency settings should not exist only inside the locked password manager.

8. There is a financial cost

Consumer password managers may be free or inexpensive, but business products normally charge per user.

Additional costs may apply for:

  • Administrator controls
  • Single sign-on integration
  • Advanced reporting
  • Security-key support
  • Directory synchronisation
  • Emergency access
  • Audit logs
  • Premium support

The cost should be compared with the risks and administration created by unmanaged passwords.

A low-cost product may be suitable for a very small organisation, but larger businesses may need central controls, reporting and reliable offboarding features.

9. Initial setup takes time

Introducing a password manager requires more than purchasing licences.

The business may need to:

  • Create policies
  • Configure authentication
  • Import existing credentials
  • Remove insecure password documents
  • Set up shared vaults
  • Assign permissions
  • Train employees
  • Establish recovery procedures
  • Update joining and leaving processes
  • Review administrator access

Existing passwords may also need to be changed if they have previously been reused or shared insecurely.

This work takes time, but it can improve the organisation’s long-term security.

10. A password manager does not remove every password risk

A password manager cannot prevent every type of account compromise.

An attacker may still gain access through:

  • A stolen authenticated session
  • Malware on the employee’s device
  • A fraudulent multifactor-authentication request
  • An insecure recovery process
  • A compromised browser
  • Social engineering
  • Excessive account permissions
  • A malicious authorised user

Password managers should therefore form part of a wider security strategy rather than being treated as a complete solution.

Browser password manager or dedicated business product?

Most modern browsers can save and generate passwords.

For an individual using their own secured devices, this can be considerably safer than reusing passwords or storing them in an unsecured file.

The NCSC states that major browsers can safely store passwords on a user’s own devices, provided those devices, browsers and associated accounts are properly protected and updated.

However, businesses may require additional capabilities that browser-based managers do not always provide.

These may include:

Central administration
Business-owned vaults
Detailed audit logs
Secure password sharing
Employee offboarding
Role-based permissions
Security reports
Emergency access
Separation of work and personal credentials
Company-wide policy enforcement

Employees should never allow a browser to save business passwords on public or unmanaged shared computers.

The correct choice depends on the size, systems and risk level of the organisation.

Should administrator passwords be stored in a password manager?

Administrator credentials require particularly strong protection.

These accounts may provide access to:

  • Microsoft 365
  • Servers
  • Firewalls
  • Backups
  • Cloud environments
  • Security systems
  • Website hosting
  • Domain management

Storing administrator credentials in a properly secured business password manager can be safer than keeping them in spreadsheets, documents or shared messages.

However, privileged credentials should be placed in restricted vaults accessible only to authorised people.

The organisation should consider:

  • Separate administrator vaults
  • Mandatory multifactor authentication
  • Hardware security keys
  • Access logging
  • Approval workflows
  • Regular credential rotation
  • Emergency-access procedures
  • Separate administrator accounts for each engineer
  • Alerts for unusual vault access

The NCSC recommends multifactor authentication whenever password managers hold credentials for privileged or sensitive accounts.

For highly privileged access, a specialist privileged-access-management solution may be more appropriate than a general employee password manager.

Do you still need multifactor authentication?

Yes.

A password manager and multifactor authentication protect against different risks.

The password manager helps employees create and store unique passwords.

Multifactor authentication provides an additional check when someone attempts to sign in.

Even if a password is stolen, the attacker should still need the second authentication factor.

The NCSC describes two-step verification as one of the most effective ways to protect important online accounts and recommends enabling it on password-manager accounts themselves.

Where available, businesses should consider phishing-resistant methods such as security keys, device-bound passkeys or certificate-based authentication.

What about passkeys?

Passkeys allow a user to sign in without entering a traditional password.

They are designed to be resistant to phishing because the authentication is linked to the genuine website or application.

Password managers increasingly store and synchronise passkeys alongside traditional credentials.

The NCSC recommends using passkeys as the first choice where they are available. For accounts that do not yet support passkeys, it recommends continuing to use a unique password with two-step verification.

Passwords are unlikely to disappear immediately, so password managers will remain useful while businesses gradually introduce passkeys.

How should a business choose a password manager?

Before selecting a product, the organisation should consider:

Encryption

Passwords should be strongly encrypted both when stored and when synchronised.

The provider should clearly explain how its encryption works and whether it can access the contents of customer vaults.

Multifactor authentication

The product should support strong multifactor authentication, especially for administrators and cloud-based vaults.

Business administration

Administrators should be able to create teams, assign vault access, remove employees and transfer business credentials.

Recovery options

The business should understand what happens when an employee forgets their primary password or leaves unexpectedly.

Audit logs

The product should provide suitable records of administrator changes, shared access and security events.

Device support

The password manager should work securely across the devices and browsers employees actually use.

Employee experience

The product should be straightforward enough for employees to use consistently.

Provider security

The organisation should review the provider’s security history, audits, certifications, breach-notification process and approach to vulnerability management.

Data location and privacy

The business should understand what data is collected, where it is processed and which subcontractors are involved.

Export and exit arrangements

The organisation should be able to securely export business credentials if it changes provider.

The NCSC advises organisations to select a password manager based on security, usability and the way employees will actually use the product.

How should a business deploy a password manager?

A sensible rollout may include:

1. Reviewing how passwords are currently stored and shared.
2. Identifying business-critical and administrator accounts.
3. Selecting a suitable business password manager.
4. Enforcing multifactor authentication.
5. Creating separate personal, team and administrator vaults.
6. Importing existing credentials securely.
7. Replacing weak, shared and reused passwords.
8. Training employees to recognise phishing attempts.
9. Documenting recovery and emergency-access procedures.
10. Adding the password manager to employee onboarding and offboarding.
11. Reviewing access and security reports regularly.
12. Introducing passkeys where supported.

The password manager should be introduced as a business security system, not simply another optional application.

Common password-manager mistakes

Password managers provide the greatest benefit when they are properly managed.

Common mistakes include:

  • Reusing the primary password elsewhere
  • Failing to enable multifactor authentication
  • Sharing one password-manager account between employees
  • Giving every user access to every vault
  • Mixing personal and business credentials
  • Storing recovery information insecurely
  • Ignoring compromised-password reports
  • Allowing unmanaged devices to access sensitive vaults
  • Failing to remove former employees
  • Keeping administrator passwords in general employee vaults
  • Not testing account-recovery procedures
  • Choosing a product based only on price

These mistakes can reduce or even undermine the security benefits of the service.

Are password managers safe for businesses?

Password managers are not risk-free.

They concentrate sensitive credentials in one place and can become attractive targets for cyber criminals.

However, the alternative is often worse.

Without a suitable password manager, employees may reuse passwords, choose weak credentials or store them in places that provide little protection or accountability.

The NCSC’s assessment is that, while password managers are not perfect, their benefits generally outweigh their risks and their use improves organisational security overall.

Our view is that most businesses should use a centrally managed password solution for accounts that cannot yet be protected with single sign-on or passkeys.

The password manager should be protected with strong authentication, secure devices, appropriate permissions and regular access reviews.

How can Hamilton Group help?

At Hamilton Group, we can help your business improve the way passwords and privileged accounts are managed.

We can assist with:

  • Password-manager selection
  • Business password-manager deployment
  • Shared vault configuration
  • Multifactor authentication
  • Microsoft 365 security
  • Single sign-on
  • Conditional Access
  • Passkey adoption
  • Administrator account reviews
  • Employee onboarding and offboarding
  • Cyber security policies
  • Security awareness training
  • Dark-web and compromised-password monitoring
  • Privileged-access management
  • Cyber Essentials preparation

We can also review how passwords are currently being stored and identify risks such as shared spreadsheets, reused passwords, unmanaged administrator accounts and former employees who still have access.

A password manager cannot prevent every cyber attack, but it can remove many of the unsafe password practices that leave businesses exposed.

Contact Hamilton Group to discuss how a managed password solution could help protect your employees, systems and business information.

Call us on 0330 043 0069 or book an appointment with one of our experts.