Most UK business owners know they should be using stronger passwords. The advice has been repeated so many times it barely registers anymore. But knowing you should do something and actually having a workable system in place are very different things.
The reality is that the average business account now requires staff to remember dozens of passwords – for cloud software, internal systems, supplier portals, financial platforms, and everything in between. Without a structured approach, people do what comes naturally: they reuse the same password, they write it on a sticky note, or they use something simple enough to actually remember. All three of those habits create real risk.
A password manager does not just make things more convenient. It fundamentally changes how credentials are created, stored, and accessed across your business – and that has meaningful implications for your security.
What a Password Manager Actually Does
At its most basic level, a password manager is a secure vault that stores your login credentials. Instead of trying to remember dozens of passwords, your team remembers one master password (or uses biometric unlock) to access the vault, and the manager handles the rest.
The practical benefit is that every account can have a unique, genuinely random password – something like 32 characters of mixed letters, numbers, and symbols – without anyone needing to remember it. That eliminates the single biggest source of credential risk in most businesses: reuse. When one password is compromised, only one account is at risk, not twenty.
Most business password managers also handle more than just passwords. They store secure notes, payment card details used for business purchasing, SSH keys, software licences, and other sensitive information that would otherwise end up in an email thread or a spreadsheet.
The Problem With Shared Credentials
Many small businesses rely on shared passwords – a single login to an accounts package used by three people, a social media account managed by whoever needs access that day. The password is usually the same across all the systems involved, and nobody’s entirely sure who knows it or when it was last changed.
This is a significant security gap. If a member of staff leaves, or if credentials are ever compromised, there is no clean way to remove access or establish what happened. You cannot tell which team member used a shared account, and rotating the password means interrupting everyone who uses it.
A password manager built for business solves this properly. Shared credentials can be stored in a vault that the relevant team members can access, without any individual knowing the actual password. When someone leaves, their access is revoked instantly. The credential itself does not change, but access to it does.
Why AOIT Networks Uses Two Separate Password Managers
Something that might seem unusual: AOIT Networks operates two password managers – one for our internal team and one dedicated to partner access. This is a deliberate choice, and it matters for both security and operational clarity.
The separation means there is no possibility of an internal credential being confused with a partner credential, or partner account details being accessible within our own internal systems. These are entirely independent environments with separate audit trails, access policies, and vaults.
We are a 1Password partner, and this sits at the core of how we manage credentials both for ourselves and for the businesses we support. The separation model is something we also recommend to partners as their own teams grow and credential management becomes more complex. What works well for a two-person business often becomes a liability at ten people, and having a proper structure in place before that happens makes the transition straightforward.
Password Managers and Cyber Essentials
If your business is working toward Cyber Essentials – the UK government-backed cybersecurity certification – password management is directly relevant. Cyber Essentials requires multi-factor authentication (MFA) for cloud services and remote access, and managing MFA properly at team level is considerably easier with a password manager in place.
TOTP codes – the six-digit codes generated by authenticator apps that refresh every 30 seconds – can be stored inside a password manager like 1Password and shared securely with team members who need them. So if your business has a shared software account that requires MFA, the relevant team members can access both the password and the authenticator code through a single, auditable system, without emailing codes around or relying on one person’s phone.
This also matters for compliance more broadly. Cyber Essentials assesses whether MFA is actually enforced across cloud accounts. A password manager that stores and shares TOTP codes removes one of the common practical obstacles to getting that requirement met consistently across a team.
If you want to understand more about what Cyber Essentials requires and whether your business is ready, we have undergone this process and helped many business just like your become compliant. Reach out to our team and we’ll setup a free consultation
Passkeys: The Next Step Beyond Passwords
The NCSC – the UK’s National Cyber Security Centre – has made its position clear: passkeys are now recommended as the preferred authentication method wherever they are supported. Passkeys replace the traditional password entirely with a cryptographic key pair: one stored on the website or service, and one stored securely on your device. They cannot be phished, cannot be guessed, and do not get exposed in a data breach.
1Password supports passkeys natively and makes them available across all devices linked to your account. That means your team can use passkeys for the services that support them, with the same cross-device access they already have for traditional passwords – without anything changing in their day-to-day workflow.
We covered passkeys in detail in our recent post on NCSC guidance, including what they are and how they work. If you have not read it, it is worth a few minutes of your time.
The practical reality is that passwords and passkeys will coexist for several years yet, because not every service supports passkeys today. A password manager that handles both – as 1Password does – means your business can adopt passkeys wherever they are available while continuing to manage traditional credentials cleanly for everything else.
Not sure what passkeys or TOTP codes actually are? Our guide to passwords, passkeys, and TOTP codes explains each one in plain English, so you know exactly what you are using and why it matters.
Automated Password Rotation
For businesses that manage access to shared systems or infrastructure, one of the more useful features of an enterprise-grade password manager is automated password rotation. Rather than updating shared credentials manually – something that often gets deferred indefinitely – the system can rotate passwords on a defined schedule and update them across all the relevant vaults automatically.
This is particularly valuable for system accounts, service credentials, and any password that has been in use long enough that you are no longer certain who holds a copy of it. Automated rotation removes the human delay and ensures credentials are refreshed regularly without anyone having to remember to do it.
How AOIT Networks Approaches Password Management for Partners
When a business comes to us for managed IT support, how credentials are handled is one of the first things we look at. Reused passwords, shared logins with no audit trail, and accounts that former staff can still access are among the most common security gaps we find – and they are entirely solvable.
We work with partners to implement 1Password across their teams, configure shared vaults with appropriate access controls, and integrate TOTP storage for accounts that require MFA. For partners working toward Cyber Essentials, getting credential management right is typically one of the first steps, because it underpins several of the other controls the scheme requires.
Is a Password Manager Right for Your Business?
If your team is managing more than a handful of accounts and you do not currently have a dedicated system for credential management, the answer is almost certainly yes. The risk of not having one tends to be invisible right up until the moment it is not.
If you already have a password manager in place, it is worth checking whether it is actually being used consistently across your team, whether MFA credentials are being stored and shared properly, and whether there is any overlap between personal and business accounts.
For businesses considering Cyber Essentials, planning to grow their team, or simply looking to remove the credential management problem from their list of ongoing risks, we can walk you through how 1Password fits into a managed IT environment and what implementation actually looks like in practice.
If you would like to see how we handle password management for UK businesses, get in touch with the team at AOIT Networks and we can talk through your current setup.