Password reuse is one of the most consistent factors in Australian cyber incidents. Staff using the same password across personal and business accounts means that a breach of any site where that password was used — a retail site, a forum, an old webmail account — provides credentials that may work against business systems.
Why Passwords Still Matter With MFA
MFA significantly reduces the risk of credential compromise. But MFA is not universally deployed — legacy systems, third-party applications, and some internal tools may not support it. In those environments, password quality remains the primary credential defence. And in phishing-susceptible MFA implementations, a strong unique password adds a layer of complexity for the attacker.
What Business Password Managers Provide
Centralised storage of credentials with strong encryption. Automatic generation of strong unique passwords for each service. Secure sharing of credentials between team members without exposing the actual password. Audit trails of credential access. Off-boarding capability to revoke access when staff leave.
Evaluating Business Password Managers
Key considerations: zero-knowledge architecture (the vendor cannot access your passwords), SOC 2 Type II certification, business-specific features (team sharing, access policies, off-boarding), integration with your identity provider (SSO through Entra ID), and support for emergency access procedures.
Deployment Considerations
A password manager that staff do not actually use provides no security benefit. Deployment success depends on clear communication of why it is being introduced, training on how to use it, and making it easier to use than the alternatives (browser saved passwords, shared documents, notes apps). Executive sponsorship and visible adoption from leadership significantly improve uptake.
Should we use Microsoft Entra ID instead of a password manager?
Entra ID (and the Microsoft Authenticator app) provides SSO for Microsoft 365 and integrated applications. For systems covered by SSO, a separate password manager is less necessary. For the many systems that are not SSO-integrated — supplier portals, industry platforms, specialist software — a password manager complements SSO rather than competing with it.
