Somewhere in your organisation right now, an employee is reusing a password they created in 2019. Another is sharing login credentials for a team account through a Slack DM. A third is storing client portal access in a browser’s built-in autofill, synced to a personal Google account your IT team does not control. None of these people are careless. They are simply doing what most workers do when their company has no password infrastructure.
This article contains affiliate links. If you make a purchase through these links, we may earn a commission at no extra cost to you.
According to Verizon’s 2024 Data Breach Investigations Report, stolen credentials were involved in roughly 80 per cent of web application breaches and remain the single most common initial attack vector across all industries. The pattern is consistent year after year: an employee reuses a password, that password appears in a consumer data breach, an attacker tests it against the company’s systems, and the door opens. The breach rarely looks dramatic. It looks like a normal login.
The fix is not telling people to choose better passwords. The fix is giving them a system that makes strong, unique credentials the default and removes the temptation to cut corners. That is what business password managers are designed to do. But most of them share a blind spot that matters more than their marketing suggests.
The metadata problem nobody talks about
When you evaluate a password manager, the first thing you check is encryption. Every serious product uses AES-256. Every serious product claims zero-knowledge architecture. But encryption scope varies more than most buyers realise, and the difference has real consequences.
The 💜 of EU tech
The latest rumblings from the EU tech scene, a story from our wise ol’ founder Boris, and some questionable AI art. It’s free, every week, in your inbox. Sign up now!
Standard password managers encrypt the contents of your vault: the passwords, secure notes, and credit card numbers you store. What they often leave unprotected is the metadata surrounding those items. Item titles, associated URLs, email addresses, and access timestamps may sit on the provider’s servers in a form the provider can read. That metadata tells a story. It reveals which services your company uses, which employees access which accounts, and when. For an attacker who breaches the provider’s infrastructure (or a government that issues a subpoena), metadata can be nearly as valuable as the passwords themselves.
Proton Pass for Business was built to close that gap. Developed by Proton AG in Geneva (the same team behind Proton Mail and Proton VPN), it encrypts everything: vault contents and all associated metadata, including item titles, URLs, email addresses, and timestamps. The encryption happens on your device before data reaches Proton’s servers, and Proton holds no decryption keys. Even if its servers were compromised tomorrow, attackers would get encrypted blobs with no way to determine what is inside or which websites your team uses.
All client applications are open-source and have been independently audited by Securitum. This is not a trust-us claim. The code is public. Anyone can verify it.
What the product actually does
Beyond encryption scope, Proton Pass includes features that address the practical ways password security fails in real organisations.
Built-in two-factor authentication. Proton Pass generates TOTP codes directly inside the app, eliminating the need for a separate authenticator. When an employee logs in, the password and verification code autofill together. This removes the friction that causes most teams to skip 2FA on “less important” accounts (which are often the accounts attackers target first).
Unlimited email aliases. Powered by SimpleLogin (acquired by Proton in 2022), every employee can generate a unique email alias for each service they sign up for. If a third-party service is breached, only the alias is exposed. Disable it instantly, and your employee’s real address stays clean. Most competitors either lack this feature entirely or charge extra for it through third-party integrations.
Dark web monitoring. Continuous scanning checks whether your team’s credentials have appeared in known data breaches. When a match is found, administrators receive an alert with enough context to act before the compromised credential is exploited. This turns password management from a reactive process (changing passwords after an incident) into a proactive one.
Passkey support. Proton Pass handles FIDO2 passkeys across all devices, positioning your team for the gradual shift away from passwords entirely. You can store, sync, and use passkeys alongside traditional credentials during the transition period.
Admin controls that scale. The Professional tier adds SSO with Microsoft Entra ID, Okta, and ADFS, plus SCIM directory sync, activity logs, enterprise security policies, and SIEM integration. IT teams can provision and revoke access centrally, enforce password hygiene rules, and audit credential activity across the organisation.
What it costs
Proton Pass for Business pricing undercuts most established competitors by a significant margin.
Pass Essentials runs $1.99 per user per month on annual billing (minimum three users). This includes unlimited password storage, the built-in 2FA authenticator, passkey support, unlimited email aliases, dark web monitoring, password health checks, and secure vault sharing. For context, Bitwarden Teams starts at $4 per user per month and 1Password Business at $7.99.
Pass Professional costs $4.85 per user per month (annual, minimum three users) and adds SSO, SCIM, activity logs, enterprise policies, Proton Sentinel advanced protection, file attachments, and CLI access.
Teams that also need encrypted email, cloud storage, and VPN can bundle Pass Professional within Proton Workspace Standard at $12.99 per user per month, which includes the full Proton productivity suite under Swiss jurisdiction.
All plans include a 14-day free trial with no credit card required.
Start your 14-day free trial of Proton Pass for Business
Why Swiss jurisdiction matters
Proton AG operates under Swiss law, which offers some of the strongest privacy protections in the world. Switzerland is outside the EU and US data-sharing agreements, and Swiss courts have historically set a high bar for government data requests. Combined with zero-knowledge encryption (Proton holds no keys and therefore has nothing meaningful to hand over), this creates a legal and technical shield that US-based password managers cannot replicate.
For organisations subject to GDPR, HIPAA, or NIS2, Proton Pass holds ISO 27001 certification and provides the kind of verifiable, architecture-level compliance that auditors actually want to see, not just a checkbox in a sales deck.
The 14-day test
The practical question is not whether your team needs a password manager. It almost certainly does. The question is whether the one you choose encrypts enough, costs a reasonable amount, and works well enough that people actually use it instead of reverting to sticky notes and Slack DMs.
Proton Pass offers a 14-day free trial on all business plans with no credit card required. That is enough time to import your existing credentials, test the admin experience, evaluate the browser extensions and mobile apps, and determine whether the migration is worth completing. For most teams, the answer becomes obvious within the first week.
Prices are subject to change. Check Proton’s website for the most current pricing and plan details.
