Somewhere in your company there is a spreadsheet called "Passwords" or "Logins," shared with half the office, last cleaned up never. Everyone knows it's bad. It survives because it's convenient and because nobody has owned the two-hour project of replacing it. This guide is that project. At the end you'll have a business password manager with a sane vault structure, the spreadsheet's contents migrated and the spreadsheet destroyed, sharing that follows job roles, emergency access for the accounts that matter, and an offboarding step that actually revokes access when someone leaves.
Prerequisites
- Budget approval for a business tier, typically a few dollars per user per month.
- Admin access to your identity platform (Microsoft 365 or Google Workspace) so the manager can use your existing logins for sign-in.
- The dreaded spreadsheet, plus ten minutes with each department head to find the other places passwords live: browser-saved logins, sticky notes, a shared OneNote.
- A named owner for the system. Password managers without an owner rot back into spreadsheets within a year.
Step 1: Pick a business-tier manager
The mainstream business options are 1Password Business, Bitwarden (Teams or Enterprise), Keeper Business, and Dashlane Business. Any of them beats the spreadsheet by a mile, so don't stall in comparison-shopping. The features that actually matter at small-business scale:
- SSO integration: users unlock with their Microsoft or Google account, which means your existing MFA protects the vault and offboarding hooks into the account you already disable.
- Shared vaults or collections with per-group permissions, since shared credentials are the whole reason you're doing this.
- Admin console with activity logs, so you can see who accessed what when it matters.
- Emergency access / recovery options, covered in Step 5.
One rule: buy the business tier, not a pile of personal accounts. Personal accounts belong to the person; when they leave, the company vault leaves with them. The business tier is what gives you shared vaults, central admin, and recovery. Most include free family plans for employees' personal use, which is a nice carrot during rollout: pitch it as a benefit, not a mandate.
Step 2: Design the vault structure before importing anything
Dumping 400 credentials into one shared vault recreates the spreadsheet with better encryption. Structure first. A layout that works for most companies under 50 people:
Personal vault - each user's own work logins (created automatically)
All-Staff - Wi-Fi, shared printer portal, the office door code
Finance - banking, payroll, QuickBooks, payment processors
Operations - CRM, industry software, shipping accounts
Marketing - social media, website CMS, email platform
IT-Admin - registrar, DNS, firewall, Microsoft 365 admin, backups
Three rules to hold while you design it. Grant by group, not by individual: put people in a Finance group and give the group access to the Finance vault, so access changes are one move instead of forty. Least privilege: the new hire in marketing does not need the banking logins, and "everyone can see everything" is how one phished account becomes a total loss. And keep IT-Admin tight: two or three people, no more, because those credentials are the keys to everything else.
Step 3: Import from the spreadsheet, then burn it
Clean as you migrate rather than importing garbage. Export or arrange the spreadsheet into the CSV format your manager expects (they all document theirs; typically columns like name, url, username, password, notes), or split it into one CSV per target vault to save re-sorting later. Import each into its vault through the admin console.
Then do the cleanup pass the spreadsheet never got:
- Delete dead entries for services you no longer use. There will be many.
- Fix duplicates and figure out which of the three listed "QuickBooks" passwords is real.
- Flag every password that's weak or reused. The built-in health or watchtower report does this automatically. Rotate the worst offenders now, starting with anything financial or admin; schedule the rest.
- Convert shared-account logins where you can. Many services the spreadsheet "solved" with one shared login (social media platforms especially) support proper multi-user access. Fewer shared secrets is the goal; the shared vault is for the ones that genuinely must be shared.
Now destroy the sources. Delete the spreadsheet and empty the trash, including old copies in email attachments and file-share version history as far as you're able. Have users delete browser-saved passwords once the manager's extension is installed (all the major managers can import from the browser first), and disable browser password saving by policy in Chrome and Edge so it doesn't creep back. As long as the spreadsheet exists, people will use it.
Step 4: Set the sharing rules and write them down
The tool enforces nothing your policy doesn't say. Half a page, plainly written:
- Company credentials live in the company vaults. Not in DMs, not in email, not in a text to a coworker. If someone needs a login, they get vault access or the item is shared to them through the manager.
- Personal vault means work-personal: individual work logins nobody else needs. Employees' actual personal passwords go in their free family plan, kept separate.
- New services get their login created in the right vault the day the account is made, by whoever makes it.
- Generated passwords only: long and random from the built-in generator, since nobody types them anymore anyway.
- Vault access requests go to the system owner, who checks them against the person's role.
Then roll out in that order: install extensions and apps, a 20-minute demo (the moment autofill works on the first try is when people convert), the two-week window to move browser passwords in, then browser saving disabled.
Step 5: Set up emergency access
Two failure modes to cover before they happen. First, the locked-out user: enable your platform's account recovery feature (admin-assisted recovery in 1Password and Keeper, configurable in Bitwarden Enterprise) so a forgotten master password doesn't mean a lost vault. Note that recovery-capable admins can be a takeover path, so require identity verification by video or in person before performing one.
Second, the unavailable owner. If exactly one person can reach the IT-Admin vault and that person is in the hospital, the company is locked out of its own infrastructure. Every vault gets two people with access, including and especially IT-Admin. For the true crown jewels (registrar, primary bank, Microsoft 365 global admin), also keep a sealed offline copy: printed, in envelopes, in a physical safe, with a note in the vault saying it exists. Check it twice a year for staleness. Old-fashioned and unglamorous, and it has saved more than one company we know.
Step 6: Build offboarding into the system
This is the payoff for all the structure. When someone leaves:
- Disable their Microsoft or Google account, which (via SSO) cuts their vault access the same minute.
- Suspend or remove their password manager account in the admin console. Their personal work vault transfers to their manager for review in most business tiers.
- Rotate the shared credentials they had access to. The vault structure makes this a finite list for the first time: pull up the vaults their groups touched and rotate those items, highest value first. With the spreadsheet, the honest answer to "what did they know?" was "everything, forever."
- Log it: date, who did it, which credentials rotated.
Put these four lines in your existing offboarding checklist now, while you're thinking about it. Offboarding steps invented during an awkward departure tend to get skipped.
Verify it
Run these checks and the project is done:
- Every employee has signed in and used autofill at least once; the admin console's adoption report shows no holdouts.
- Spot-check permissions: someone outside finance genuinely cannot open the Finance vault.
- The spreadsheet and its copies are gone, and browser password saving is off by policy.
- The security-health report trends up, and the flagged critical passwords have been rotated.
- Emergency access is tested: a simulated forgotten master password recovers cleanly, and the sealed envelopes exist.
- Offboarding is rehearsed once on a test account, timed, and in the checklist.
From here it's maintenance: the owner reviews vault access and the health report quarterly, which takes fifteen minutes. The spreadsheet era took years off IT people's lives. This takes fifteen minutes a quarter.
Stuck on this, or want it done for you? That's the job.
Email us →