Almost every small agency I have worked with has the same problem: passwords live in a spreadsheet, in a Notion page, in someone's notes app, or in a shared Google Doc. The day a junior leaves, nobody remembers which credentials they had access to. The day a client account gets compromised, nobody knows when it was last rotated. The day the laptop with the spreadsheet dies, panic.

A password manager solves all three problems for 3 euro per user per month. The trade-offs between the main options are smaller than the marketing makes them sound. Pick one, deploy it, get on with the work.

What a password manager actually has to do for a team

The features that matter, in order of importance:

  1. Each member has a personal vault: passwords only they see.
  2. Shared vaults or collections: passwords visible to a defined group (the design team, the dev team, all admins).
  3. Per-credential access control: this client's CMS login is shared with two specific people, not the whole team.
  4. Audit log: who accessed which credential when, who shared what with whom.
  5. Off-boarding workflow: removing a leaver in one click, without losing the credentials they had access to.
  6. Browser autofill that does not get tricked by phishing pages.
  7. 2FA storage for the team-shared accounts that have 2FA on a TOTP key.

These are the basics. Anything else (passkey storage, secrets management for CI, dark-web monitoring, family plans) is bonus.

The four real options

Bitwarden Teams / Enterprise

Open source server, hosted version at 4 USD per user per month for Teams, 6 USD for Enterprise. Self-hostable for free if you want to run it yourself (Vaultwarden, the unofficial Rust reimplementation, is the popular choice). Strong on the basics, weak on polish. The mobile and desktop apps are functional but less elegant than 1Password.

The good: open source, audited, fair pricing, you can self-host, supports passkeys and TOTP.

The not-so-good: the UI feels engineering-grade. Some flows take more clicks than they should. The team admin panel is functional, not friendly.

Recommended for: technical teams that value transparency over polish. Anyone who wants to self-host.

1Password Teams / Business

Commercial, closed source. 8 USD per user per month for Business. The best UI in the category. Strong native apps, fast browser extensions, smooth mobile apps, well-designed sharing flows.

The good: the best user experience by a clear margin. Adoption is faster, training is shorter. The Watchtower feature flags reused passwords, weak passwords, breached credentials. CLI tool for developers, integration with Terraform, GitHub Actions, AWS.

The not-so-good: closed source, you trust 1Password the company. Higher price than Bitwarden.

Recommended for: teams where smooth daily use matters more than being open source. Agencies with non-technical members who will resist a clunky tool.

Dashlane

Commercial. Around 6 USD per user per month for Business. Less popular among technical teams than the previous two, more popular in HR-heavy organisations. Decent UX, weaker developer features, less ecosystem.

Recommended for: niche cases where 1Password and Bitwarden do not fit, often because of a specific compliance requirement.

Keeper

Commercial, enterprise-focused. Heavy compliance feature set, integrations with SSO providers, hardware key MFA enforcement. Pricier than the above. The choice for organisations with strict security policies (banks, healthcare, government suppliers).

Recommended for: regulated environments. Overkill for a small agency.

What I would deploy on day one

For a small agency or a 5-person team starting from a Google Doc:

Choose: Bitwarden Teams if at least one person on the team is comfortable with Linux/CLI; 1Password Business if not. Both will work; the question is which fits the team's daily comfort better.

Set up the structure:

  • One shared collection per client. Inside it: hosting, registrar, CMS admin, FTP, mailbox if separate.
  • One shared collection "Internal" for tools the team uses (GitHub org, Cloudflare, the team's accounting tool, the design subscriptions).
  • Personal vaults for everything that belongs to the individual.

Access policy: by default, everyone in the team can read the "Internal" collection. Each client collection is shared only with the people on that account. Admin (you) sees everything.

Onboarding: every new member gets their personal vault and access to "Internal". Client access is added per-project.

Off-boarding: when someone leaves, rotate every credential they had access to. The password manager makes the list trivial. Then remove them.

The features people skip and regret

A few details that look optional but pay back fast:

Recovery: every password manager has an account recovery flow. Read it before you need it. Bitwarden uses an "Emergency Access" feature where another team member can request recovery and access your vault after a delay you set. 1Password gives you a Secret Key on signup that you must store separately. If you skip this and lose access, your vault is unrecoverable. The tools cannot help you because the encryption is on the client.

TOTP storage: most password managers can store the TOTP secret next to the password and autofill the code at login. Convenient. The trade-off is that anyone with master password access has both factors. For high-value accounts, store TOTP separately (Aegis, 2FAS, hardware key).

Browser extension lock: the browser extension auto-locks after some idle time. The default is often too long. Set it to 15 minutes for shared workstations, 1 hour for personal devices.

Audit reports: run the password health report monthly. It surfaces the credentials that have been reused across services, the ones that appeared in known breaches, the weak ones. Fix them.

What it costs vs what one breach costs

A 5-person team on 1Password Business is 40 USD per month, 480 USD per year. Bitwarden Teams is 240 USD per year. Either way you are at three figures per year for the whole company.

A single client account compromise typically costs:

  • Several hours of investigation and recovery.
  • Reset of every credential the agency had for that client.
  • A difficult conversation with the client.
  • Reputation damage that may or may not survive depending on the relationship.

The password manager pays for itself the first time you avoid this scenario. Most agencies have already had this scenario at least once. Do not wait for the second time.

A practical migration

If you are migrating from a spreadsheet today:

  1. Sign up for the chosen tool. 30 minutes.
  2. Import the spreadsheet into your personal vault. Most tools accept CSV. 30 minutes.
  3. Move client credentials into per-client shared collections. 1 hour for a typical small agency.
  4. Invite the team. 15 minutes.
  5. Schedule a 30-minute training session: vault, browser extension, sharing flow, recovery. Done.
  6. Delete the spreadsheet. Properly. Empty trash, clear cloud version history, remove from any backups.

Total: half a day, once. Then years of not worrying about where the registrar password lives.