We recently audited a client's password practices and found something concerning. Key staff had been storing business passwords in their browser's built-in password manager. In some cases, the browser wasn't even synced to a cloud account.
This meant passwords lived only on individual computers. If a laptop died or was replaced, those passwords would disappear with it.
It got worse. When we checked the recovery options for critical accounts, most were unusable. Recovery emails pointed to addresses that no longer existed. Recovery phone numbers belonged to people who had left the company years ago. No one recognized them.
The passwords still worked. But we couldn't update the recovery methods because validation requires access to the existing recovery option. The old phone number. The old email address. Without those, you're locked out of making changes.
And here's where it gets worse. Many of these accounts were unmanaged Gmail, Outlook, or other large cloud provider accounts. Getting a human being at these companies to help with account recovery is often an exercise in futility. You'll find yourself in an endless loop of automated responses and help articles that don't address your situation.
It gets worse still. Every failed validation attempt is a risk. Try too many times and the provider may flag the account as compromised and lock it entirely. Now you've gone from "can't update recovery options" to "can't access the account at all."
So you're stuck. You can't fix it yourself. You can't easily get help. And trying too hard might make things worse.
Managed vs. Unmanaged Accounts
There's an important distinction here. If your business uses Microsoft 365 or Google Workspace, you have administrative control over those accounts. You can reset passwords, update recovery options, and manage access because you own the domain.
But when someone sets up a free Gmail or Outlook account for business purposes, you have no such control. That account belongs to whoever created it, according to Google or Microsoft. If that person leaves and you lose access, you're at the mercy of automated recovery systems that weren't designed for your situation.
We'll examine this distinction more thoroughly in a future article. For now, the takeaway is simple: know which of your business accounts you actually control, and which ones you're just borrowing.
The Real Risk Isn't Hackers. It's Losing Access.
Most password security advice focuses on preventing breaches. Strong passwords, two-factor authentication, don't reuse passwords. All good advice.
But for many businesses, the more immediate risk is simpler: what happens when the person who knows the password leaves? Or when their laptop fails? Or when you need to access an account urgently and no one can remember the credentials?
This isn't a security problem. It's a business continuity problem.
What We Found Beyond the Passwords Themselves
The audit revealed more than just poorly stored passwords:
- No record of who had access to which passwords
- No way to know when passwords were last changed
- Many saved passwords had no notes explaining what account or system they were for
- No process for changing passwords when employees left
That last point matters. When someone with access to critical accounts leaves your company, every password they knew should change. Without a system to track this, it doesn't happen.
Why Browser Password Managers Fall Short for Business
Browser password managers solve a personal problem: remembering your own passwords across your own devices. They're fine for that.
But a business has different needs. You need to know who has access to what. You need to revoke access when someone leaves. You need records showing when credentials were changed and by whom. You need passwords that can be shared securely between team members without everyone having full access to everything.
Browser password managers weren't built for this. They have no centralized administration, no audit trails, no permission controls.
This Is Where Experienced Guidance Helps
You might already use a password manager at home and like it. But consumer tools often lack the features a business requires: centralized permissions, audit logging, reporting, and proper offboarding workflows.
Choosing and implementing a business password manager isn't complicated, but getting it right matters. The goal isn't just storing passwords somewhere better. It's building a system where you always know who has access to what, and where that access can be managed properly when things change.
Not Sure Where Your Passwords Actually Live?
Many businesses don't have a clear picture of how credentials are being stored and shared across their organization. We can help you find out and build a better system.