The majority of data breaches begin with a compromised password. Here’s how to address that issue.

      Right now, within your organization, one employee is reusing a password they created back in 2019. Another is sharing login information for a team account via a Slack direct message. A third individual is using a browser's autofill feature to store client portal access, synced to a personal Google account that your IT department does not manage. None of these employees are being negligent; they are simply acting like most workers do when there is no established password management system in place.

      This article contains affiliate links. If you make a purchase through these links, we may earn a commission at no additional cost to you.

      According to Verizon’s 2024 Data Breach Investigations Report, approximately 80 percent of web application breaches involve stolen credentials, making them the most common initial attack vector across various industries. The trend is consistent each year: an employee uses a password repeatedly, that password is compromised in a data breach, an attacker tests it against the company’s systems, and access is granted. The breach is rarely dramatic; it often looks like a typical login.

      The solution is not to instruct employees to create stronger passwords. The solution is to provide them with a system that defaults to strong, unique passwords, eliminating the temptation to take shortcuts. This is the purpose of business password managers. However, many of them overlook a crucial issue that is more significant than their marketing claims.

      The metadata issue that is often overlooked

      When assessing a password manager, the first aspect to consider is encryption. Every reputable product employs AES-256 encryption and claims to have a zero-knowledge architecture. However, the extent of encryption can vary more than most consumers realize, and this difference has significant implications.

      Standard password managers typically encrypt the contents of your vault—passwords, secure notes, and credit card details. However, they often do not protect the surrounding metadata, such as item titles, associated URLs, email addresses, and access timestamps, leaving this data on the provider’s servers in a readable format. This metadata can disclose which services your company uses, which employees access specific accounts, and when. For an attacker who compromises the provider’s infrastructure, or for a government issuing a subpoena, this metadata can be almost as valuable as the passwords themselves.

      Proton Pass for Business was developed to address this issue. Created by Proton AG in Geneva (the same team behind Proton Mail and Proton VPN), it encrypts everything: not just the vault's contents but also all associated metadata like item titles, URLs, email addresses, and timestamps. This encryption process occurs on your device before the data reaches Proton’s servers, and Proton does not retain decryption keys. Even if its servers were to be breached tomorrow, attackers would only obtain encrypted data with no means of understanding what it contains or which websites your team uses.

      All client applications are open-source and have been independently audited by Securitum. This is not merely a claim of trust; the code can be publicly verified.

      What the product actually provides

      Beyond encryption scope, Proton Pass includes features that tackle the practical failure points in password security within real organizations.

      - Built-in two-factor authentication: Proton Pass generates TOTP codes directly within the app, negating the need for a separate authenticator. When an employee logs in, both the password and the verification code autofill simultaneously, eliminating the hassle that often leads teams to skip 2FA on "less important" accounts, which are frequently the first targets for attackers.

      - Unlimited email aliases: Powered by SimpleLogin (acquired by Proton in 2022), every employee can create a unique email alias for each service they register with. If a third-party service is compromised, only the alias is exposed, allowing it to be disabled immediately while safeguarding the real email address of the employee. Most competitors either lack this feature or charge additional fees through third-party integrations.

      - Dark web monitoring: Continuous scanning checks whether your team's credentials have appeared in known data breaches, and if a match is found, administrators receive alerts with enough context to take action before the compromised credential can be exploited. This transforms password management from a reactive task (changing passwords after an incident) to a proactive one.

      - Passkey support: Proton Pass accommodates FIDO2 passkeys across all devices, preparing your team for the eventual move away from passwords altogether. You can store, sync, and use passkeys alongside traditional credentials during the transition phase.

      - Scalable admin controls: The Professional tier includes SSO with Microsoft Entra ID, Okta, and ADFS, in addition to SCIM directory sync, activity logs, enterprise security policies, and SIEM integration. IT teams can centrally provision and revoke access, enforce password hygiene rules, and audit credential activity throughout the organization.

      What it costs

      Proton Pass for Business offers pricing that is significantly lower than most established competitors.

      The Pass Essentials plan is priced at $1.99 per user per month when billed annually (minimum of three users). This includes unlimited password storage, a built-in