Set up a password manager

Resources Security Controls and Comms
1

Set up a password manager

A password manager is the simplest way to run team-owned accounts (X, Facebook, Discord, Telegram, domain/DNS, email) without password sharing, reused passwords, or “lost access” drama.

Baseline controls

  • Use one vault system (don’t mix browser-saved passwords + random spreadsheets).

  • Require 2FA on the password manager itself (non-negotiable).

  • Use unique passwords per account (no reuse, ever).

  • Create shared vaults for project accounts; keep personal logins private.

  • Store recovery codes + backup codes as first-class items.

  • Minimize who has access to “Owner/Admin” credentials; use least privilege.

Top 5 password managers

  1. Bitwarden (Free) — best default, especially if you want a real free tier

    • Solid free plan and a straightforward path to org sharing (including a free 2-person organization for shared credentials).

  2. 1Password — best for teams that want the cleanest onboarding + admin controls

    • Strong business/family plans, widely used in companies.

  3. Dashlane — best for “security dashboard + anti-phishing” style features

    • Clear personal + business tiers and policy/admin console options.

  4. Proton Pass — best for privacy-first users (and Proton ecosystem)

    • Offers a free plan and supports sharing workflows (family/shared vault patterns).

  5. Keeper — best for enterprise-style controls and documentation depth

    • Strong focus on zero-knowledge architecture and formal security model docs.

Setup checklist

  1. Create the “Owner” account using a team-controlled email alias (not a personal inbox).

  2. Set a long master password (passphrase) and store it offline once (sealed envelope / secure offline note).

  3. Enable 2FA for the password manager immediately (authenticator app or security key).

  4. Install the browser extension + mobile app for the owner and admins.

  5. Import passwords from browsers/CSV, then delete browser-saved passwords to avoid drift.

  6. Create a shared vault / organization for project credentials (domain/DNS, socials, chats, wallets, vendors).

  7. Invite team members and grant least-privilege access (separate “Owner”, “Admin”, “Comms”, “Ops”).

  8. Add recovery kits/codes for every critical account (domain registrar, email, X, Meta, Discord, Telegram). Treat these like keys.

Suggested vault layout for a token/community project

  • 01 Core Ownership (Restricted): domain registrar, DNS/Cloudflare, primary email, payment methods

  • 02 Socials Admin (Restricted): X, Facebook/Meta, YouTube, etc.

  • 03 Community Chats (Moderators): Discord, Telegram (owner + bots + invite tools)

  • 04 Vendors/Tools (Ops): analytics, forms, CRM, hosting, design tools

  • 05 Break-glass (2 people max): emergency admin creds + recovery codes (use only for incident response)

Operating rules

  • Never store “shared accounts” if the platform supports role-based access—use roles, store only what’s needed.

  • When someone leaves: remove vault access first, then rotate passwords for anything they touched.

  • Quarterly: run a credential review (who has access to what, which credentials are still needed).

Bitwarden — Pricing (includes Free):

Bitwarden — Organizations (free 2-person org quick start):

Bitwarden — Two-step login (2FA):

1Password — Pricing:

1Password — Add/remove team members:

Dashlane — Personal pricing:

Dashlane — Business pricing:

Proton Pass — Pricing:

Proton Pass — Family sharing (example of shared vault workflow):

Keeper — Personal & family pricing:

Keeper — Encryption/security model (docs):

“I just launched a token — now what?” 🤔