TL;DR

Credential theft is the number one entry point for ransomware gangs and nation-state actors targeting Australian SMBs. This playbook compares 1Password Business, Bitwarden Teams, Dashlane, and Keeper on price, SSO integration, breach resilience, and recovery — then walks you through a practical 4-week rollout that gets your entire organisation off browser-saved passwords for good.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Why Your Browser's Password Manager Is a Liability

Every major APT campaign tracked in 2025-2026 — from the NTLM-harvesting UAC-0194 group to ransomware affiliates — exploits one weakness: stolen credentials. When your team stores passwords in Chrome or Edge, a single infostealer on one endpoint hands attackers the keys to your CRM, your Xero instance, your Microsoft 365 tenant, and every SaaS tool your business runs on.

The ACSC's Essential Eight lists multi-factor authentication as a baseline control. A dedicated password manager makes MFA adoption frictionless — but browser-based password storage actively undermines it by leaving credentials in plaintext on disk. For a 10-50 headcount Australian business, the maths is brutal: one compromised marketing laptop that's logg

ed into everything equals a complete network takeover within hours.​‌‌‌​​​​‍​‌‌​​​​‌‍​‌‌‌​​‌‌‍​‌‌‌​​‌‌‍​‌‌‌​‌‌‌‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​‌‌​​​​‌‍​‌‌​​‌‌‌‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​‌‌​‌‌​​‍​‌‌​‌‌‌‌‍​‌‌‌​‌​‌‍​‌‌‌​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​​​‍​‌‌​‌‌​​‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​‌‌​​​‌​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌​‌‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌‌‍​‌‌‌​‌​​‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​‌​​‌‍​‌‌​​​​‌‍​‌‌​‌‌‌​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​​‌‌​​‌​‍​​‌‌​​​​‍​​‌‌​​‌​‍​​‌‌​‌‌​

Side-by-Side Comparison: What You Actually Pay in AUD

All prices below are AUD, billed annually. For a 20-seat deployment (the mid-range sweet spot):

Feature 1Password Business Bitwarden Teams Dashlane Business Keeper Business
Per-user/month $11.99 $6.00 $12.00 $5.60
20-seat annual cost $2,878 $1,440 $2,880 $1,344
SSO included? Yes (Entra ID, Okta, Duo) Enterprise tier only (+$3/user) Yes (Entra ID, Okta) Yes (Entra ID, Okta, Duo)
Shared vaults Unlimited, granular permissions Unlimited, collections-based Smart Spaces (team groups) Shared folders, role-based
Emergency access Built-in, time-delayed Enterprise tier only Built-in, time-based Built-in, 5-designee limit
Breach monitoring Watchtower (domain-wide) Vault Health Reports Dark Web Monitoring BreachWatch (add-on ~$2.50/user)
Offboarding recovery Family recovery for ex-staff Free family plan for all users No family benefit No family benefit
Self-host option No Yes (Bitwarden Unified) No No

For the budget-conscious SMB: Bitwarden Teams at $6/user gives you the essentials — unlimited shared vaults, directory sync, and API access — plus the ability to self-host if compliance demands it. SSO requires the Enterprise tier, which bumps cost to $9/user.

For the compliance-heavy SMB: 1Password Business includes SSO at the base tier, plus the best breach monitoring tooling (Watchtower scans your entire domain's credentials against Have I Been Pwned continuously). The family recovery benefit — departing staff keep a free 1Password Families account — is genuinely useful for maintaining goodwill during offboarding while ensuring company credentials are fully revoked.

Where Dashlane shines: If your team is distributed and non-technical, Dashlane's onboarding UX is the smoothest. Smart Spaces auto-sort credentials by team. The trade-off: no self-hosting path, and the per-user cost stays highest.

Keeper's edge: Lowest base price, and BreachWatch (while an add-on) is genuinely good at surfacing compromised credentials. The catch: shared folder permissions are less granular than 1Password vaults, which matters once you grow past 30 staff managing multiple client engagements.

The 4-Week Rollout Plan

Week 1 — Pilot with IT/A single power user group

Enrol 2-3 technical staff. Install the browser extension, mobile app, and desktop client. Import their work credentials manually (resist the bulk-import temptation — this is your chance to audit and cull dead accounts). Test shared vault creation. Test emergency access: simulate "manager locked out, IT admin grants temporary vault access." Document every step — this becomes your training script for Week 3.

Gate check before moving to Week 2: Can pilot users log into every critical SaaS tool using only the password manager? Is the browser extension auto-filling reliably in your SSO flow?

Week 2 — Leadership and finance team

Expand to your executive team and finance staff — the highest-value targets. Create their shared vault (Finance, Board Papers, Bank Logins). Configure the emergency access policy: who can request access, and what's the mandatory waiting period (72 hours minimum is best practice). This week surfaces the political blockers: executives who refuse to change workflows, or finance staff who've memorised one password since 2014. Handle these conversations now, not during Week 3's company-wide push.

Week 3 — Full company enrolment with mandatory training

Run a 30-minute all-hands session covering:

  • Why browser-saved passwords are being killed (show the UAC-0194 infostealer demonstration if you want attention)
  • Installing and logging into the password manager on every device
  • Creating strong, unique passwords (the generator button — not human creativity)
  • Sharing credentials via shared vaults, never via Slack, email, or sticky notes
  • What to do when locked out (emergency access process)

Set a 3-day deadline for self-enrolment. IT confirms completion via the admin dashboard.

Week 4 — Kill browser-saved passwords and audit

This is the step most SMBs skip — and the one that determines whether you actually reduced risk or just added another app.

  1. Push a Group Policy or MDM profile disabling Chrome/Edge password saving across all managed devices.
  2. Use the password manager's admin console to run an audit: how many credentials have been reused across accounts? How many weak passwords remain?
  3. Delete all browser-saved credentials on every device — walk the floor with laptops open if needed.
  4. Verify shared vaults are populated: every team should have at least one vault with shared logins (Wi-Fi, printer admin, social media accounts, SaaS tools).

FAQ

"Do I really need to pay for this? Can't we just use the free tier?"

Bitwarden's free tier supports two users with a shared collection — fine for a 2-person consultancy, useless for 20 staff. The paid tiers give you the admin controls that make compliance possible: user provisioning, audit logs, and enforced MFA policies. For a 20-person business, $1,440/year (Bitwarden Teams) is less than a single ransomware incident's downtime cost.

"What happens if someone leaves and we need access to their vault?"

Emergency access — configured during Week 2 — allows designated admins to request vault access. The user gets notified and has a waiting period (you choose: immediate to 30 days) to deny the request. If they don't respond, access is granted. This covers both hostile departures and the "Dave got hit by a bus and only Dave knew the AWS root password" scenario. Ensure this is documented in your employment contracts.

"We use Microsoft 365 with Entra ID SSO — which password manager integrates best?"

1Password Business and Keeper both offer SCIM provisioning with Entra ID, meaning new staff automatically get a vault provisioned when their Microsoft account is created. Bitwarden requires the Enterprise tier for SSO. Dashlane supports Entra ID at the Business tier but SCIM provisioning is still maturing.

"How do password managers hold up during a real breach?"

If your password manager's cloud is breached (rare, but design for it): your vault is encrypted with your master password, which is never stored on their servers. An attacker with a copy of the encrypted blob has nothing without your master password. This is why choosing a strong, unique master password — and enabling MFA on your vault — matters more than which vendor you pick.

Conclusion

A password manager is the single highest-ROI security investment an Australian SMB can make — it eliminates credential reuse, enables MFA adoption, and gives you a clean offboarding process. The 4-week plan works because it respects how real businesses operate: prove it to IT first, win over leadership second, then roll it out with training and enforcement. Pick Bitwarden Teams if budget is your driver, 1Password Business if compliance and breach monitoring are priorities, and Keeper if you want bare-minimum pricing with solid monitoring. Then execute all four weeks — especially Week 4. A password manager nobody uses is worse than no password manager, because it creates the illusion of security.

Ready to harden your SMB's credential security? Visit consult.lil.business for a free cybersecurity assessment tailored to your team size and tech stack.

References

  1. ACSC Essential Eight Maturity Model
  2. ACSC Small Business Cyber Security Guide
  3. Bitwarden Teams vs Enterprise Comparison
  4. 1Password Business Security Design (White Paper)
  5. NIST SP 800-63B Digital Identity Guidelines — Authenticator Management

TL;DR

  • Microsoft fixed 84 security problems in their software this month
  • Two bugs were especially serious because bad guys knew about them before Microsoft could fix them
  • One bug lets attackers become bosses of your database; another can crash your apps
  • You should update your Windows computers this week

Related: How AI Attacks Now Steal Your Data in 72 Minutes

What Is Patch Tuesday?

Think of Patch Tuesday like a regular check-up at the doctor, but for your computer. Every second Tuesday of the month, Microsoft releases updates that fix security problems in Windows, Office, and other Microsoft software [1].

It's called "Patch Tuesday" because Microsoft "patches" (fixes) holes that bad guys could use to break into your computer.

What Happened in March 2026

This month, Microsoft fixed 84 security problems [2]. That's a lot! Most of these are like small cracks in a wall — not super dangerous on their own, but bad if left unfixed.

Two of these problems were extra serious because bad guys already knew about them before Microsoft could fix them. These are called "zero-days" — zero days between when bad guys found out and when Microsoft could fix them [3].

The Two Big Bugs to Know About

Bug #1: The Database Boss Maker (CVE-2026-21262)

Imagine your business database is like a filing cabinet with different drawers. Most employees can only open certain drawers. The boss can open ALL the drawers.

This bug lets someone who's only supposed to open one drawer suddenly become the boss and open EVERY drawer [4].

Why it's bad: If a bad guy gets into your system (even just a tiny bit), they can use this bug to give themselves full control over your database. They could read, change, or delete your customer records, financial data, or any important information [5].

Who needs to worry: If your business uses Microsoft SQL Server (a program that stores lots of business data), you need to fix this right away.

Bug #2: The App Crasher (CVE-2026-26127)

Imagine your business has a storefront. This bug is like someone having a remote control that can shut your doors and make customers wait outside [6].

It affects programs built with .NET (a tool many businesses use to build applications). A bad guy could crash your apps from anywhere in the world, making your website or tools stop working [7].

Why it's bad: Downtime = lost money. If your online store or booking system goes down, customers can't buy from you.

Who needs to worry: If your business uses applications built with Microsoft .NET, you should update them.

Other Important Fixes

Microsoft also fixed a bug called CVE-2026-25187 that lets someone with basic access become the boss of the entire Windows computer (SYSTEM account) [8]. Think of it like an intern suddenly getting the CEO's keycard.

There's also CVE-2026-26144, which could leak information from Excel files when using Microsoft's AI helper (Copilot) [9]. If your Excel files have sensitive business info, this matters.

Why Privilege Escalation Is Like Promoting the Wrong Person

Most of the bugs fixed this month (55 out of 84!) are called "privilege escalation" [10]. That's a fancy way of saying "promoting someone to a level they shouldn't have."

Here's how it works:

  1. Bad guy gets into your system somehow (like finding an open window)
  2. Bad guy uses a privilege escalation bug (like picking a lock to get from the hallway into the CEO's office)
  3. Bad guy now has full control and can steal, delete, or ransom your data

This is why patching matters — even if you think "why would bad guys target me?" — they use automated tools to find these open doors everywhere.

What You Should Do This Week

1. Update All Windows Computers

For most Windows users, it's easy:

  1. Click Start → Settings (the gear icon)
  2. Go to "Windows Update"
  3. Click "Check for updates"
  4. Install all updates and restart when asked

This should take 10-30 minutes, depending on your computer.

2. Check With Your IT Person or Vendor

If you have someone managing your computers, ask them:

  • "Did we apply the March 2026 Microsoft security updates?"
  • "Do we use SQL Server? If so, is it patched for CVE-2026-21262?"
  • "Do we have any .NET applications? Are they updated?"

3. Back Up Important Data Before Updating

Before updating critical systems (like servers or computers that run your business):

  • Make sure your backups are recent
  • Test that you can restore from backups
  • Have a plan in case something goes wrong

It's like backing up your phone before updating iOS — just good practice.

Related: Your Backups Are Actually Working — But Ransomware Gangs Just Changed the Rules

Why This Matters for Your Business

Think of computer security like locking up your shop at night. You wouldn't leave the back door open, right?

Unpatched software is like an open door. Bad guys have automated tools that scan the internet looking for open doors. They don't care who you are — they're just looking for easy targets.

The good news: When you update regularly, you're closing those doors. Most automated attacks will move on to easier targets.

FAQ

Set a reminder for next week. Better late than never. But if your computers hold sensitive data (customer info, financial records, passwords), try to update within 7 days for the serious bugs (the two zero-days).

It's rare, but sometimes updates can cause problems. That's why big businesses test updates first. For a small business, just make sure you have backups before updating. If something breaks, you can restore.

These specific updates are for Microsoft software. If your Mac runs Microsoft Office or uses Microsoft .NET applications, you might still need to update those programs. Check with your IT person.

These updates are for computers. Phones (iPhone, Android) have their own update systems. You should update those too, but that's separate from Patch Tuesday.

Microsoft releases updates every month on Patch Tuesday (second Tuesday). Set a reminder to check updates a few days after Patch Tuesday each month. It's a good habit.

Security doesn't have to be complicated. Update regularly, back up your data, and have a plan. That's the foundation. If you want help building a security approach that fits your business, let's talk.

References

[1] Microsoft, "Windows Update Overview," Microsoft Docs, 2026. [Online]. Available: https://docs.microsoft.com/windows/deployment/update/windows-update-overview

[2] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[3] Malwarebytes, "What is a Zero-Day Vulnerability?" Malwarebytes Labs, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2025/11/what-is-a-zero-day-vulnerability

[4] National Vulnerability Database, "CVE-2026-21262," NIST, 2026. [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2026-21262

[5] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities

[6] Security Boulevard, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Security Boulevard, 2026. [Online]. Available: https://securityboulevard.com/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities-2/

[7] Malwarebytes, "March 2026 Patch Tuesday fixes two zero-day vulnerabilities," Malwarebytes Blog, 2026. [Online]. Available: https://www.malwarebytes.com/blog/news/2026/03/march-2026-patch-tuesday-fixes-two-zero-day-vulnerabilities

[8] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[9] The Hacker News, "Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days," The Hacker News, 2026. [Online]. Available: https://thehackernews.com/2026/03/microsoft-patches-84-flaws-in-march.html

[10] Satnam Narang, "Patch Tuesday Analysis: March 2026," Tenable, 2026. [Online]. Available: https://www.tenable.com/blog/

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation