TL;DR

For most Australian SMBs with 10 to 50 staff, the best password manager is the one you can roll out cleanly, recover safely, and offboard from quickly. In practice, 1Password Business is the strongest all-rounder, Bitwarden Teams is the budget pick, Dashlane is the easiest for browser-first teams, and Keeper is strong for admin control and delegated access.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

The rollout should happen over four weeks, not in one chaotic “everyone install this today” email. Pilot with IT first, then leadership, then company-wide training, then migrate browser-saved passwords and disable them.

Why this matters for Australian SMBs in 2026

Password managers are no longer just convenience tools. They are identity controls. Recent threat reporting continues to show attackers abusing stolen credentials, browser-stored passwords, phishing, and help-desk style social engineering to get a foothold inside businesses. For SMBs, that usually means Microsoft 365, Xero, payroll, banking, shared SaaS logins, and remote access tools.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​

​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

If your team still stores passwords in browsers, spreadsheets, or Slack messages, you have a business continuity problem as much as a security problem. A password manager rollout reduces reuse, improves MFA adoption, gives you cleaner offboarding, and stops shared credentials from living in ex-employees’ browsers.

Which password manager fits a 10 to 50 person business?

Here is the practical comparison Australian SMB owners care about most. Pricing below is approximate in $AUD per user per month based on common annual business pricing and exchange-rate reality; check vendor billing pages before purchase.

  • 1Password Business: around $12 to $13 AUD/user/month

    • Best for: most SMBs wanting the safest default choice
    • SSO: strong support, including Okta and Microsoft Entra ID
    • Recovery story: strong admin-assisted recovery model
    • Breach resilience: excellent because of the extra Secret Key on top of the master password
    • Verdict: best balance of usability, shared vaults, admin control, and resilience

  • Bitwarden Teams: around $6 to $7 AUD/user/month

    • Best for: cost-sensitive teams
    • SSO: limited at Teams tier; proper SSO is generally an Enterprise feature
    • Recovery story: decent, but the best identity controls sit higher up the product ladder
    • Breach resilience: strong architecture and transparent security model, plus open-source credibility
    • Verdict: best budget option, but many SMBs outgrow Teams if they want SSO and richer admin workflows

  • Dashlane Business: around $12 to $13 AUD/user/month

    • Best for: browser-heavy teams that want simple adoption
    • SSO: good support for SAML-based identity providers
    • Recovery story: solid, but you need to design admin recovery and emergency access carefully
    • Breach resilience: strong zero-knowledge design and good usability for non-technical staff
    • Verdict: easy to adopt, especially if your staff live in Chrome or Edge all day

  • Keeper Business: around $11 to $12 AUD/user/month

    • Best for: admin-heavy environments needing policy control
    • SSO: strong SSO and SCIM support
    • Recovery story: strong delegated admin and transfer workflows
    • Breach resilience: strong encryption model and mature enterprise controls
    • Verdict: very good for businesses that care about role-based control, offboarding, and account transfer

If you want one simple recommendation:

  • Choose 1Password Business if you want the strongest all-round rollout.
  • Choose Bitwarden Teams if budget is the main driver.
  • Choose Keeper if admin control and offboarding are top priorities.
  • Choose Dashlane if ease of use for non-technical browser users matters most.

What good rollout design looks like

A password manager rollout fails when the tool is installed but the risky behaviour stays the same. Your design needs four controls from day one:

  1. Shared vaults Create vaults by function, not by chaos. Use vaults such as Leadership, Finance, Marketing, IT Admin, and Vendor Accounts. Do not create one giant “Company Passwords” vault. Least privilege matters here too.

  2. Emergency access Decide now how business-critical accounts are recovered if the owner is on leave, resigns suddenly, or is unreachable. For SMBs, this means documented admin recovery, a break-glass vault for critical services, and two authorised custodians.

  3. Offboarding Your offboarding checklist should include vault access removal, session revocation where supported, MFA reset, and transfer of owned credentials. If the departing staff member controlled a browser full of saved passwords, you are already too late.

  4. Browser password shutdown Browsers are not your password management strategy. By week 4, you should migrate saved passwords from Chrome, Edge, Safari, and Firefox, then disable built-in browser saving through policy where practical.

The 4-week rollout playbook

Week 1: Pilot with IT Start with IT, operations, or the most security-aware users. Set up the business account, admin roles, shared vault structure, MFA policy, and recovery workflow. Import a small set of non-critical accounts first. Test login capture, autofill, shared vault permissions, and an admin recovery scenario before wider rollout.

Week 2: Leadership rollout Onboard leadership next because executives usually hold the highest-risk accounts. Migrate Microsoft 365 admin, accounting, banking-related access, domain registrar, hosting, social media, and cyber insurance portals. This is also where you test secure sharing instead of emailing passwords.

Week 3: Whole company rollout with training Run one live training session and one recorded version. Keep it practical: how to install, how to save a password, how to use passkeys where available, how to share credentials safely, and what not to store in personal vaults. Require every user to move at least five work logins during the session.

Week 4: Migrate browser-saved passwords and disable them Export or migrate browser-saved passwords into the chosen password manager. Remove duplicates, rotate weak or reused credentials, and switch shared logins into shared vaults. Then disable browser password saving by policy if your environment supports it. This is the week that turns adoption into control.

FAQ

Not always on day one, but it matters as you scale. If you already use Microsoft 365 Business Premium or another identity provider, SSO reduces friction and gives you cleaner onboarding and offboarding.

Yes. MFA reduces account takeover risk, but it does not solve password reuse, unsafe sharing, poor offboarding, or browser-stored credentials. You need both.

Only business-owned accounts and shared service credentials. Examples include registrar accounts, shared SaaS admins, social media logins, finance systems, and vendor portals. Personal logins should stay out.

Trying to do it in one day without training, recovery testing, or browser migration. The result is usually half the team using the tool and the other half still saving passwords in Chrome.

Conclusion

A good password manager rollout is not about buying a licence. It is about changing how your business handles identity, recovery, sharing, and offboarding. For most 10 to 50 person Australian SMBs, 1Password Business is the safest all-round pick, Bitwarden Teams is the value option, Dashlane is the easiest for browser-centric staff, and Keeper is excellent for policy-driven admin control.

Start with a four-week rollout, test recovery before you need it, move shared logins into shared vaults, and kill browser-saved passwords by the end of week 4. Visit consult.lil.business for a free cybersecurity assessment.

References

  1. Australian Cyber Security Centre: Passphrases
  2. NIST SP 800-63B Digital Identity Guidelines: Authentication and Lifecycle Management
  3. SANS Security Awareness: Password Managers
  4. 1Password Business Pricing
  5. Bitwarden Business Pricing
  6. Dashlane Business Pricing
  7. Keeper Business Pricing

TL;DR

  • A popular tool that programmers use has a serious security problem
  • The problem is called CVE-2026-28292 and it's very dangerous (score 9.8 out of 10)
  • It lets attackers run commands on computers that use certain versions of the tool
  • Anyone who uses this tool needs to update it right away

What Is simple-git and Why Do Programmers Use It?

Imagine you have a robot that helps you organize your school projects. The robot keeps track of every change you make, lets you go back to older versions, and helps you work with friends on the same project. That's what git does for computer programmers—it's like a super-powered "undo" button and collaboration tool [1].

Simple-git is a popular tool that lets programs talk to git automatically. Think of it like a translator: your program says "save this work" in English, and simple-git translates it into git-language so git understands what to do [2].

Programmers use simple-git all the time in web applications, tools that help other programmers, and systems that automatically update websites. It's everywhere in modern software.

What's the Problem?

Someone found a way to trick simple-git into running bad commands instead of just translating for git. It's like if you told your translator robot "say hello" but instead it started opening doors and turning off lights [3].

The scary part is that this trick doesn't need a password or special access. If an application uses simple-git in the wrong way, an attacker could send a specially crafted message that makes the application do whatever the attacker wants [4].

The problem affects versions 3.15.0 through 3.32.2 of simple-git. Version 3.23.0 fixes the problem, so everyone needs to update to that version or a newer one [5].

How Could This Hurt a Business?

Imagine a company has a website that lets programmers share their code. The website uses simple-git to manage all the shared projects. If an attacker knows about this vulnerability, they could:

  • Send a specially crafted project name to the website
  • The website passes that name to simple-git
  • Simple-git gets tricked into running bad commands
  • The attacker now has control over the website's computer [6]

This is called "remote code execution"—the attacker can run commands on a computer without even being in the same building. It's like giving someone the keys to your house through the mail slot [7].

Why This Happened Twice Before

The really concerning part is that this same kind of problem was found and fixed in simple-git in 2022 (CVE-2022-25860 and CVE-2022-25912) [8]. But the fix wasn't complete—attackers found a different way to do the same trick.

It's like patching a hole in a tire, but the patch wasn't big enough. The air is still leaking out, just through a different spot.

What Businesses Need to Do Right Now

1. Check If You Use simple-git

Any business that has programmers or uses web applications should check if they depend on simple-git. Programmers can run a command to see if it's installed in their projects [9].

2. Update to Version 3.23.0 or Newer

If version 3.15.0 through 3.32.2 is installed, update it immediately. This is critical—not something to put off until next week [10].

3. Check Your Dependencies

Your business might not directly use simple-git, but the tools you use might depend on it. It's like your backpack has a pocket, and that pocket has a smaller pocket—you need to check all the layers [11].

4. Set Up Automatic Checks

There are tools that can automatically watch for problems like this and alert you when they're found. It's like having a security guard that checks all your doors and windows every night [12].

The Big Lesson: We All Depend on Each Other's Code

Modern software is built like a tower of blocks. Each block is a piece of code written by someone else. When one block has a crack, the whole tower can wobble [13].

That's why security isn't just about writing good code yourself—it's about making sure all the blocks you use are solid too. When a popular tool like simple-git has a problem, it affects everyone who uses it, even if they wrote perfect code themselves.

FAQ

No, you need to update to the fixed version (3.23.0 or newer). The problem is in how the tool was written, so the people who make simple-git had to fix it and release a new version [14].

If your business has programmers who work with Node.js (a popular programming system), ask them to check if any projects use simple-git. If they're not sure, that's a problem—not knowing what you're using is risky [15].

Not necessarily. The attack comes through normal web traffic—it looks like a regular request until simple-git processes it. Firewalls are like locks on your doors, but this attack uses the doorbell [16].

Programming is complicated, and it's hard to think of every possible way someone might try to trick your code. That's why security updates happen constantly—it's not that the programmers were bad, it's that attackers are always finding new tricks [17].

References

[1] TheHackerWire, "Critical RCE in simple-git (CVE-2026-28292)," TheHackerWire, March 10, 2026. [Online]. Available: https://www.thehackerwire.com/critical-rce-in-simple-git-cve-2026-28292/

[2] npm, "simple-git package," npm, 2026. [Online]. Available: https://www.npmjs.com/package/simple-git

[3] TheHackerWire, "Critical RCE in simple-git," 2026.

[4] CWE, "CWE-78: OS Command Injection," MITRE, 2025. [Online]. Available: https://cwe.mitre.org/data/definitions/78.html

[5] TheHackerWire, "Critical RCE in simple-git," 2026.

[6] OWASP, "Command Injection," OWASP Foundation, 2025. [Online]. Available: https://owasp.org/www-project-command-injection/

[7] CWE, "CWE-78: OS Command Injection," 2025.

[8] TheHackerWire, "Critical RCE in simple-git," 2026.

[9] npm Documentation, "Troubleshooting dependency trees," npm, 2025. [Online]. Available: https://docs.npmjs.com/cli/v9/commands/npm-ls

[10] TheHackerWire, "Critical RCE in simple-git," 2026.

[11] GitHub, "About Dependabot alerts," GitHub, 2025. [Online]. Available: https://docs.github.com/en/code-security/dependabot/dependabot-alerts/about-dependabot-alerts

[12] Ibid.

[13] CISA, "Software Supply Chain Security," Cybersecurity and Infrastructure Security Agency, 2025. [Online]. Available: https://www.cisa.gov/software-supply-chain-security

[14] TheHackerWire, "Critical RCE in simple-git," 2026.

[15] Flashpoint, "Navigating 2026's Converged Threats: Insights from Flashpoint's Global Threat Intelligence Report," Flashpoint, March 11, 2026. [Online]. Available: https://flashpoint.io/blog/global-threat-intelligence-report-2026/

[16] OWASP, "Command Injection," 2025.

[17] Flashpoint, "Navigating 2026's Converged Threats," 2026.

Worried about your software dependencies? Book a free cybersecurity consultation at consult.lil.business—we'll help you understand and secure your code.

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation