Password Vault Implementation

The Challenge

A business managing credentials for dozens of client accounts had no centralised system for storing or sharing passwords. Hosting logins, CMS credentials, third-party API keys, and admin passwords were scattered across email threads, a shared spreadsheet, and direct messages. When a team member needed access to a client’s hosting panel, they searched their inbox or asked a colleague — and hoped the credential had not been changed since it was last shared.

The security exposure was significant but abstract until an incident made it concrete. A team member left the company, and the business had no way to determine which credentials they had accessed. There was no audit trail, no access log, and no centralised record of who had been given what. The offboarding process took over a week of manually identifying and rotating credentials across client accounts — a process that should have taken an hour.

Beyond security, the daily friction was constant. Credentials saved in a spreadsheet were frequently outdated because someone had changed a password but not updated the shared document. Duplicate entries with conflicting values made it impossible to know which was current. The team was wasting time on something that should be invisible — finding the right password and trusting that it works.

The Approach

We built a password vault integrated into the portal the team already used for project management and client communication. The vault provides encrypted storage with role-based access controls, so credentials are available to the people who need them and invisible to everyone else.

The critical design decision was granularity of access. Rather than a flat list of passwords visible to the whole team, the vault organises credentials by client and project, with access tied to team membership. A developer working on Client A’s website sees Client A’s hosting and CMS credentials. They do not see Client B’s payment processor keys. When someone is removed from a project, their access to those credentials is revoked automatically.

Every access event is logged — who viewed which credential, when, and from where. This audit trail is not just a compliance feature. It solves the offboarding problem directly: when a team member leaves, you can generate a report of every credential they accessed and rotate exactly those, rather than guessing or rotating everything as a precaution.

We chose to build the vault into the existing portal rather than deploying a third-party password manager. The team was already logging in daily; adding the vault as a feature of that environment meant there was no adoption barrier and no additional subscription cost scaling with team size.

What Was Delivered

• An encrypted password vault replacing credential sharing via email, spreadsheets, and direct messages
• Role-based access controls tied to project membership, with automatic revocation when team members are removed
• Full audit logging on every credential access event, providing instant visibility into who has seen what
• Organised storage by client and project, eliminating duplicate and conflicting credential entries
• Integration into the existing portal, requiring no additional tools, logins, or per-seat licensing

The Result

The team offboarding process for credential management went from over a week to under an hour. Instead of manually hunting through inboxes and spreadsheets, the operations lead generates an access report showing every credential the departing team member viewed, and rotates those specifically. The first time they used this after launch, they identified credentials the old process would have missed entirely.

Day-to-day, the time spent finding the right password dropped from minutes of searching to seconds of navigating. More importantly, the team stopped encountering stale credentials — when a password is updated in the vault, everyone with access sees the current version immediately. The spreadsheet that had been the de facto credential store was archived within the first week because nobody needed it.

What Made This Work

Tying access to project membership rather than building a separate permissions model was the key decision. Password managers typically require manual assignment of credentials to users. By deriving access from the project structure already in the portal — if you are on the project, you see its credentials; if you are not, you do not — the vault stays accurate without anyone maintaining it. Credential access mirrors reality automatically rather than relying on someone to remember to update a permissions list.

Recognise This Problem?

If your team shares credentials through email or spreadsheets and you have no way to know who has access to what, the risk compounds with every new hire and every client onboarded. Get in touch to discuss how a vault integrated into your existing workflow could work.