Contact

The Cheapest Security Upgrade Your Business Can Make

The actual breaches small businesses experience are almost always boring: someone's password was "Welcome2022", they used it everywhere, and now everything is compromised. The fix is unglamorous and cheap: a password manager.

Hamish Palmer
Hamish Palmer
Web Design

The headline-grabbing data breaches always feature sophisticated hacking. The actual breaches small businesses experience are almost always boring: someone's password was "Welcome2022", they used it everywhere, it leaked from one service, and now their email, Facebook, accounting software, and customer database are all compromised.

The fix is unglamorous and cheap: a password manager. If you don't already use one, this is the single highest-return security upgrade your business can make.

What a password manager actually does

A password manager is software that does three things:

  1. Generates strong, unique passwords for every account you have
  2. Stores them all in an encrypted vault behind one master password (which is the only one you need to remember)
  3. Auto-fills them into websites and apps so you don't have to type them

That last bit matters more than people realise. Once you're using a password manager properly, you stop knowing your own passwords — they're random strings of 20+ characters. You log into your accounting software by clicking a button, not by typing.

Why it's not optional for a business

Three things change when you start running a business:

  • You have far more accounts than a personal user. CMS, hosting, domain registrar, email, Stripe, Mailchimp, accounting software, social media, project management — easily 30+ logins.
  • The consequences of one compromise are bigger. Your business email getting hacked isn't just embarrassing — it's how scammers reset every other password and lock you out.
  • You may need to share access with others. Your accountant needs your Xero. Your developer needs hosting access. Your VA needs Mailchimp. Doing this without a password manager usually means sending passwords over email, which is a slow-motion security disaster.

The options worth knowing about

Bitwarden — open-source, free for personal use

Bitwarden is the option I recommend most often. Open-source (so security researchers can audit it), free for personal use, cheap for business, available on every platform. It also offers a self-hosted option if you'd rather host the password vault on your own infrastructure.

For a small business, the paid plan runs around the cost of a coffee per user per month. Worth it.

1Password — more polished, paid

1Password is the other widely-trusted option. Better-looking interface, slightly more thoughtful design, but no free tier and no self-hosting. If "it should just work and look nice" matters more than "it should be free," this is the one.

Proton Pass — if you're already in the Proton ecosystem

Proton Pass is a newer entrant from the Proton suite I wrote about. Solid product. Worth considering if you're already paying for Proton anyway — it's included in the bundle.

KeePass — free, self-hosted, stuck in 2005

KeePass is the original open-source password manager. Genuinely secure, completely free, but the interface looks like Windows XP and the workflow is fiddly. Use it only if you're technical and stubborn.

What I'd actively avoid

  • Browser-built-in password storage. Convenient, but limited to one browser, hard to share, and historically less secure than dedicated tools.
  • LastPass. Past favourite, now best avoided after a series of breaches and increasingly aggressive pricing.
  • A spreadsheet. Yes, people do this. No, it's not OK.

The setup is the hard part

The annoying truth about password managers is that the initial setup is tedious. You have to log into every account, generate a new password, save it, and update the account. For 30+ accounts, that's an evening of work.

But you only do it once. After that, every new account gets a generated password the moment you create it, and you never type a password again.

What about two-factor authentication?

Password managers can also store and generate the six-digit codes used for two-factor authentication, removing the most common excuse for not enabling 2FA on important accounts ("it's annoying to type the code"). With a password manager, the code auto-fills.

If you're not yet using 2FA on critical accounts (email, hosting, banking, social media), you should be — and a password manager makes it painless.

The bottom line

A password manager isn't an aspirational tool. It's a baseline. Every small business should be using one, on every account, full stop. Bitwarden if you want free or open-source, 1Password if you want polished, Proton Pass if you're already in their ecosystem.

Get in touch if you'd like a hand setting up a password manager for your business, or auditing where your existing credentials are stored.

Get in touch

Have a project in mind?

Get in touch and let's talk about what your business needs online.

Let's talk about your project.

Ready to get started? I'd love to hear about your business and what you're looking to achieve online.

hi@hamish.com.au
Burnie, Tasmania
0434 771 122

Copyright © 2026 hamish.com.au

Hosted by PHAS