BG Beter Geregeld ICT
Toegangsbeheer · 6 min leestijd · 06 July 2026

Passwords in SMEs: from sticky notes to a proper team vault

Passwords on sticky notes, in a shared Excel file, or sent via WhatsApp — almost every SME does it. Here's how to fix it step by step, without your team needing a training course.

You get an email from a supplier: "Please find the new login details for the customer portal." Or a colleague shouts from down the corridor: "What's the Wi-Fi password again?" And then the searching begins. In an old email. In an Excel file on the shared drive. On a yellow sticky note under the keyboard. Sound familiar?

\n\n

In almost every SME, passwords are the junk drawer of the digital household. Everyone knows it can be done better; nobody knows quite where to start. In this post we explain how to sort it out — without sending everyone on a training course.

\n\n

Why a shared Excel file really isn't a good idea

\n\n

We get it. A quick "passwords.xlsx" on the shared drive is easy to set up and everyone can access it. That last part is exactly the problem:

\n\n
    \n
  • Everyone who ever had access to that drive still has access to all those passwords — including last year's intern.
  • \n
  • If one laptop is hacked or stolen, your entire digital business is exposed.
  • \n
  • You have no idea who changed what and when.
  • \n
  • When a staff member leaves, you have to change every single password. In practice, that never happens.
  • \n
\n\n

The same goes for saving passwords in your browser, sharing them via WhatsApp, or sticking Post-its to the monitor. It works — until it doesn't.

\n\n

What you actually need: a password vault for the team

\n\n

A password manager (or "vault") is an application that stores all your passwords in encrypted form. You only need to remember one master password; the vault handles the rest. For a team, it also brings some very useful features:

\n\n
    \n
  • Shared folders: all passwords for the accounts department sit in one folder, accessible only to the bookkeeper and you.
  • \n
  • Per-person permissions: someone can use a password without being able to see or export it.
  • \n
  • Audit log: you can see who opened or changed what, and when.
  • \n
  • One-click removal: when a staff member leaves, you revoke all their access in one go.
  • \n
\n\n

Well-known options include Bitwarden, 1Password, and Keeper. Pricing is typically between €3 and €8 per employee per month — and for that price you get one of the biggest security improvements you can possibly make.

\n\n

The clear-out: how to get started without chaos

\n\n

You don't have to migrate everything in one Saturday afternoon. Work in steps:

\n\n

Step 1: make a list of accounts

\n

Start with the most important ones: bank, accounting, email, domain management, webshop back-end, social media accounts, supplier portals. Write them all down. You'll be surprised how many there are — for a typical SME it's usually between 40 and 100 accounts.

\n\n

Step 2: choose one vault for the whole business

\n

Not three different ones. One. Make sure everyone who works with accounts has a licence.

\n\n

Step 3: organise into folders by role

\n

Create folders such as "Finance", "Marketing", "IT", "General". Share each folder only with the people who genuinely need it. This immediately serves as your first access review.

\n\n

Step 4: replace weak and reused passwords

\n

The vault automatically generates strong passwords of 20+ characters. Prioritise: bank, email, and anything involving money or customer data. Do five per week. Within two months you'll be done.

\n\n

Step 5: enable two-factor authentication wherever possible

\n

Especially for email, banking, and accounting. A strong password alone is no longer enough in 2026. The vault can store and fill in the codes for you.

\n\n

Three mistakes we regularly see in practice

\n\n

1. The boss has access to everything; everyone else has nothing. That makes the director a single point of failure the moment they go on holiday or fall ill. Make sure at least one emergency contact can access the critical accounts.

\n\n

2. The master password is written on a sticky note. Yes, really. Choose something you'll actually remember — a passphrase of four or five random words works brilliantly and is far easier than "Password2026!".

\n\n

3. Departing staff keep their access. The vault makes this simple: one button and they're out. But you do have to press it. Make "revoking access" a fixed step in your offboarding process.

\n\n

What do you get out of it?

\n\n

Concretely: you save time (no more hunting around), you dramatically reduce the risk of invoice fraud and compromised accounts, and you finally know who has access to what. When a staff member leaves, it takes five minutes instead of half a day.

\n\n

And perhaps most importantly: you sleep better. Because that nagging feeling of "I don't even know where all our passwords are any more" simply disappears.

\n\n

Would you like to set this up properly but don't want to figure out which vault fits, which folders make sense, and who should have access to what? Our access review maps out exactly who in your business has access to what — a great starting point for a clean slate. And when you're ready for two-factor authentication: we'll set it up for your whole team in a single morning.

Onderwerpen

#mkb #security #toegangsbeheer #Wachtwoorden #2Fa

Volledige gids: Access Management for SMBs: The Complete Guide (2026)

Dit artikel is onderdeel van onze uitgebreide Toegangsbeheer-gids. Lees de pillar voor het complete plaatje.

Lees de pillar →