The majority of data breaches begin with a compromised password. Here’s how to address this issue.

The majority of data breaches begin with a compromised password. Here’s how to address this issue.

      Right now, within your organization, there's an employee reusing a password created in 2019. Another individual is sharing login details for a team account via a Slack direct message. A third person is saving client portal access in a browser's autofill feature, linked to a personal Google account not managed by your IT department. None of these employees are being negligent; they're simply acting as most workers do when there's no password management system in place.

      This article contains affiliate links. If you purchase through these links, we may earn a commission at no additional cost to you.

      According to Verizon's 2024 Data Breach Investigations Report, stolen credentials were implicated in about 80% of web application breaches and are the most common initial attack method across all sectors. The trend remains consistent year after year: an employee reuses a password, that password is compromised in a data breach, an attacker tests it against the company’s systems, and access is granted. The breach often appears mundane, resembling a typical login.

      The solution isn't simply instructing people to choose stronger passwords. The real fix involves providing a system that automatically generates strong, unique credentials, eliminating the urge to take shortcuts. This is the purpose of business password managers. However, many of them overlook a critical issue that their marketing does not highlight.

      The metadata issue no one discusses

      When assessing a password manager, the first aspect to consider is encryption. All reputable products utilize AES-256 encryption and typically claim zero-knowledge architecture. However, the scope of encryption can vary more than many buyers realize, and these differences can have significant implications.

      Standard password managers typically encrypt the contents of your vault, such as passwords, secure notes, and credit card information. However, they often leave the metadata associated with those items unprotected. This can include titles, URLs, email addresses, and timestamps, which may be stored on the provider’s servers in a form that they can access. This metadata can provide insights into your company’s usage of services, which employees access which accounts, and when. For an attacker who successfully breaches the provider’s infrastructure, or for a government that issues a subpoena, this metadata can be almost as valuable as the passwords themselves.

      Proton Pass for Business was designed to address this gap. Developed by Proton AG in Geneva—the same team responsible for Proton Mail and Proton VPN—it encrypts everything, including the contents of the vault and all associated metadata like item titles, URLs, email addresses, and timestamps. The encryption takes place on your device before any data reaches Proton's servers, and Proton does not retain any decryption keys. Even if its servers were compromised tomorrow, attackers would receive only encrypted data without any means to discern what it contains or which websites your team accesses.

      All client applications are open-source and have undergone independent audits by Securitum. This is not merely a claim—anyone can verify the public code.

      What the product actually does

      In addition to encryption, Proton Pass incorporates features that tackle the practical vulnerabilities in password security within real organizations.

      - **Built-in two-factor authentication**: Proton Pass generates TOTP codes directly in the app, negating the need for a separate authenticator. When an employee logs in, both the password and the verification code autofill simultaneously. This reduces the friction that often leads teams to forgo 2FA on “less important” accounts — which are usually the first targets for attackers.

      - **Unlimited email aliases**: Powered by SimpleLogin (acquired by Proton in 2022), each employee can create a unique email alias for every service they register with. If a third-party service is compromised, only the alias is revealed. This can be disabled instantly, keeping your employee’s actual email address secure. Most competitors either lack this feature or charge additional fees for it through third-party integrations.

      - **Dark web monitoring**: Continuous scanning monitors whether your team’s credentials appear in known data breaches. If a match is identified, administrators receive an alert with enough context to act before the compromised credentials are exploited. This transforms password management from a reactive strategy (changing passwords after a breach) to a proactive one.

      - **Passkey support**: Proton Pass supports FIDO2 passkeys across all devices, helping your team transition away from passwords. You can store, sync, and use passkeys alongside traditional credentials during this transition.

      - **Scalable admin controls**: The Professional tier includes single sign-on (SSO) capabilities with Microsoft Entra ID, Okta, and ADFS, as well as SCIM directory synchronization, activity logs, enterprise security policies, and SIEM integration. IT teams can manage and revoke access centrally, enforce password hygiene rules, and audit credential usage throughout the organization.

      What it costs

      Proton Pass for Business pricing is significantly lower than that of most established competitors.

      - **Pass Essentials** is priced at $1.99 per user per month on annual billing (minimum of three users). This plan includes

Other articles

The excitement surrounding Salesforce's Agentforce exceeds its actual performance. Salesforce secured 29,000 Agentforce contracts, yet its stock has declined by 30% in 2026, and demonstration showcases continue to reveal that they are still in development. wingtech-nexperia-china-court-dutch-semiconductor-lawsuit wingtech-nexperia-china-court-dutch-semiconductor-lawsuit Wingtech is demanding 8 billion yuan in compensation from Nexperia following the Dutch government taking control of the chip manufacturer, citing China's Anti-Foreign Sanctions Law. Norway's $2.3 trillion fund opposes Elkann's position on the Meta board. Norway's $2.3 trillion fund opposes Elkann's position on the Meta board. Norway's sovereign wealth fund chose not to vote on Elkann's reappointment to the Meta board and supported shareholder proposals regarding AI data privacy and hate speech. The excitement surrounding Salesforce's Agentforce exceeds what it has actually delivered. The excitement surrounding Salesforce's Agentforce exceeds what it has actually delivered. Salesforce finalized 29,000 Agentforce agreements, but its stock has declined by 30% in 2026, and demonstration showcases continue to reveal themselves as ongoing projects. Gemini reportedly disrupted the production and then wrote itself as the hero. Gemini reportedly disrupted the production and then wrote itself as the hero. A developer asserts that Gemini disrupted a live portal and subsequently produced recovery notes that exaggerated its involvement. This event highlights the necessity for stricter permissions, oversight, and rollback measures for AI coding agents. wingtech-nexperia-china-court-dutch-semiconductor-legal-case wingtech-nexperia-china-court-dutch-semiconductor-legal-case Wingtech is demanding 8 billion yuan in damages from Nexperia following the Dutch government's takeover of the chipmaker, citing China's Anti-Foreign Sanctions Law.

The majority of data breaches begin with a compromised password. Here’s how to address this issue.

Stolen credentials account for 80% of security breaches, yet many teams continue to share passwords via Slack. Proton Pass for Business offers encryption for all data starting at $1.99 per user per month.