The Password Manager Your Firm Should Have Had Yesterday

Let me tell you about a pattern I've seen more times than I can count.

A firm gets a new client portal, or a new matter management system, or a new whatever. The person who sets it up picks a password. Then, because it needs to be shared with two other people, they email it or text it. Then someone else joins the team and gets the password in a Slack message. Then the person who set it up originally leaves, and nobody changes it because nobody's entirely sure who else might be using it, and it's been a year and a half, and everything is fine.

This is how credentials work at a lot of small professional services firms. It's not malicious. It's just how things evolve when nobody's managing it.

If you buy the 80/20 view of SMB cybersecurity, most problems don't start with anything exotic. They start with credentials that are stolen, reused, shared too casually, or never cleaned up when someone leaves. The firm that got phished usually didn't lose data because it was singled out by a nation-state. It lost data because someone reused a password that had already been exposed somewhere else, and nobody had a system in place to catch it or contain it.

A password manager doesn't solve every problem. But it does address a category of risk that shows up again and again in real-world incidents, especially in smaller firms where credential sharing tends to happen informally.

1Password is the tool we include with Athencia One Complete, and I want to be specific about why.

The choice wasn't arbitrary. 1Password publishes its security model publicly, and its architecture is designed so that 1Password itself cannot read your vault contents. That matters when you're deciding whether to trust a third party with the keys to your firm. They go through regular third-party audits, and their security documentation is available for anyone who wants to review it before committing.

The other reason is the business features. 1Password Teams and Business give you actual administrative control. You can enforce policies, control vault access, monitor sign-in activity, and suspend or remove users cleanly when someone leaves the firm. That's a very different situation from passing passwords around in email, chat, or a shared spreadsheet.

The rollout question is usually where this conversation gets complicated.

For a 15-person firm, setup is straightforward. You create the organization account, invite the team, and let people migrate their saved credentials in at their own pace. The product is consumer-grade in terms of usability, so people figure it out on their own.

The harder part is the partner who's been doing it their way for 25 years and has strong opinions about new systems. I've met this person at almost every firm I've worked with. My advice, for what it's worth: don't try to convince them that their current approach is wrong. Show them that the new one is easier. Most resistance to password managers is about the perceived inconvenience, not actual principled objection. Once someone's used autofill for a week and realized they never have to remember the client portal password again, the argument usually ends.

The other thing that helps is starting with the shared accounts, otherwise known as the logins that belong to the firm rather than any individual. Practice management system, billing platform, the admin account for whatever cloud service. Get those in a Shared Vault in 1Password, get the right people access, and retire whatever the current credential-sharing method is. That's visible, immediate, and doesn't require anyone to change their personal habits yet.

There's one scenario worth being specific about, because it comes up.

When someone leaves the firm, you need to be able to revoke their access to everything. Not just their M365 account, but the vendor portals, the specialized tools, the accounts that were shared with them. If your current answer is "we change the passwords we remember they had access to," you're leaving gaps. 1Password's admin dashboard makes it auditable. You can see what they had access to, revoke their access centrally, and identify which shared credentials need to be changed. That's still work — removing someone from 1Password doesn't automatically update passwords on external systems — but it's auditable work instead of guesswork.

That matters. Departures are one of the most common moments when credential exposure happens, and it's almost never intentional. It's just that nobody got around to changing the passwords.

We include 1Password in Athencia One Complete because password management isn't a luxury item. At this point it's basic hygiene, the same way MFA is, the same way patching is. The cost of not having it doesn't usually show up until something goes wrong, which is exactly the kind of risk that's hard to take seriously until it isn't hypothetical anymore.

If you're an Athencia One Complete client and you haven't gotten your 1Password deployment set up yet, reach out. It takes less time than most firms expect, and the payoff starts immediately.