Back to Blog
Practice Operations

Password Manager Rollout for a 5-Person Tax Firm

How to roll out a real password manager at a small tax firm, the right vendor for compliance, and the policies that make it stick beyond month one.

July 21, 2026
·
min read

Shared spreadsheets of passwords. Sticky notes. Saved-in-browser passwords that nobody knows the master password to. The password situation at a typical small tax firm is bad, and it is the easiest single point of failure to fix.

A real password manager is required by every cyber insurance underwriter, by IRS Publication 4557, and by basic common sense. This post covers how to pick one, roll it out in a week, and write a policy that makes it stick.

Why this matters

Three patterns get firms breached.

  • Reused passwords across systems. One leaked password from a personal LinkedIn account opens 4 firm systems.
  • Shared logins. A single Drake login used by 3 staff members. Nobody changes it when an employee leaves.
  • Weak passwords. "TaxFirm2024!" is not a password. It is a placeholder.

A password manager solves all three. Each user has unique, strong passwords for every system. Shared accounts can be vaulted with controlled access. Departing employees lose access immediately.

Vendors that work for tax firms

Three categories that meet small-firm needs.

Business-grade password managers: 1Password Business, Dashlane Business, Keeper Business. All three have strong audit logs, granular permissions, and compliance reporting. $4 to $8 per user per month.

All-in-one with password management: Microsoft 365 Business Premium has built-in password management via Edge. Acceptable for very small firms but lacks audit features and shared vaulting.

Free or consumer options: Bitwarden Free, browser-built-in. Not acceptable for compliance. Do not use these for firm passwords.

My recommendation for a 5-person tax firm: 1Password Business or Keeper Business. Both meet every compliance ask and the per-user cost is negligible against the value.

The 1-week rollout

Day 1: contract signed, admin account created, payment in.

Day 2: each employee creates their account using a strong master password. The master password gets written down once and stored in a sealed envelope in the office safe. Lose it and you lose the vault.

Day 3: import existing browser-saved passwords. Almost every tool has an import function. After import, run through and delete duplicates.

Day 4: identify shared accounts (tax software where multiple users share a login, banking, the firm's social media). Move these into a shared vault with controlled access.

Day 5: rotate every shared password. The old ones are now considered compromised because they were saved in a browser or shared via email at some point.

Day 6: install the browser extensions on every workstation. Enable autofill.

Day 7: train the team in a 30-minute session. Cover: how to add a new password, how to retrieve an existing one, what to do if they forget their master password.

The policy that makes it stick

A 1-page policy in the WISP covers:

  • All firm system passwords are stored in the password manager. No exceptions.
  • No password is shared via email, text, Slack, or paper.
  • Every password is unique and at least 14 characters.
  • Master passwords are stored only in physical form in the firm safe.
  • When an employee leaves, their password manager account is suspended the same day, and every shared password they had access to is rotated within 48 hours.

Have every employee acknowledge the policy in writing.

The recurring discipline

A password manager that gets installed and forgotten loses its value within 6 months. Three habits keep it useful.

  1. Quarterly password manager audit. Run the tool's built-in security report. It identifies reused, weak, or breached passwords. Fix every flagged item.
  2. Annual policy review. Is the policy current? Are there new shared accounts that need to be vaulted? Are old shared accounts still needed?
  3. New hire and departure protocol. Every new hire gets a password manager account on day one. Every departure triggers same-day account suspension and 48-hour rotation of shared credentials.

What this looks like in your WISP

"Firm passwords are managed via [Vendor], with each employee maintaining a unique vault. Shared accounts are stored in controlled-access shared vaults. Password length minimum is 14 characters. Master passwords are stored only in physical form in the firm safe. Password manager security is audited quarterly. Departing employees lose access the same day and shared credentials are rotated within 48 hours."

That paragraph closes a control gap that auditors and underwriters specifically test for. The full setup costs about $40 per month for a 5-person firm. The cost of the breach it prevents is at least $50,000 and probably more.

Book a 15-minute WISP and security review

Kenny Berrios
CEO and Co-owner, Watch Cloud Cyber Security

Kenny Berrios leads Watch Cloud Cyber Security, an MSSP built for tax and accounting firms. He helps owners translate FTC Safeguards, IRS Pub 4557, and state privacy laws into operational defenses that protect client data without disrupting tax season.

FREE GAP ANALYSIS

See exactly where your WISP falls short

Five minutes. We compare your documentation against FTC Safeguards and IRS Publication 4557, flag every gap, and hand you a prioritized fix list.

Start My Free Gap Analysis
MORE FROM THE BLOG

Keep reading

Practice Operations

Replacing Email Attachments With a Secure Client Portal

July 7, 2026
Practice Operations

Building a Phishing Awareness Program in 30 Days

June 23, 2026
Practice Operations

Backup and Disaster Recovery for a Tax Practice in 90 Minutes

May 26, 2026