TL;DR: Password managers can reduce password sprawl for NGOs and foundations, but the article shows that centralised control, auditability, and user adoption still determine whether sensitive information stays manageable, according to Passbolt. The deeper issue is governance, not tooling, because shared access, manual reviews, and weak operating habits still create exposure.
NHIMG editorial — based on content published by Passbolt: A Password Manager for NGOs & Foundations
Questions worth separating out
Q: How should NGOs manage shared passwords without losing accountability?
A: NGOs should centralise shared passwords in a managed vault, assign clear ownership for each credential set, and require logging for every access event.
Q: Why do password managers matter for non-profit security programmes?
A: Password managers matter because they turn unmanaged sharing into controlled access with visibility, permissions, and audit evidence.
Q: What do organisations get wrong about password audits?
A: They often treat audits as a once-a-year checkbox instead of a continuous governance activity.
Practitioner guidance
- Consolidate shared credentials into a managed vault Replace ad hoc password sharing with a centrally administered system that supports multi-user access, item-level permissions, and logging for every sensitive account.
- Treat password audits as access reviews Use audit logs and reporting to review who accessed each credential, whether access still matches current roles, and whether any shared account needs tighter scope.
- Build adoption into the rollout plan Pair deployment with clear guidance, role-specific training, and documented rules for storing, sharing, and retiring passwords so users do not revert to plain-text habits.
What's in the full article
Passbolt's full article covers the operational detail this post intentionally leaves for the source:
- How Passbolt frames password manager selection criteria for NGOs and foundations
- The practical rollout steps for introducing a password manager into a small, collaborative organisation
- The user-training considerations highlighted by the Greenpeace example
- The cost and discount considerations Passbolt raises for non-profit buyers
👉 Read Passbolt's guide to password managers for NGOs and foundations →
Password managers for NGOs: what IAM teams should rethink?
Explore further
Shared password sprawl is a governance failure, not a convenience issue. The article correctly treats password distribution as an operational risk because informal sharing removes any reliable way to review, revoke, or account for access. That is the same control problem seen in many NHI environments, where shared secrets outlive the people or tasks that created them. Practitioners should treat every shared credential as a lifecycle object, not a convenience shortcut.
A few things that frame the scale:
- Organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, according to The State of Secrets in AppSec.
- 43% of security professionals are concerned about AI systems learning and reproducing sensitive information patterns from codebases, according to The State of Secrets in AppSec.
A question worth separating out:
Q: How can teams stop users from bypassing password controls?
A: Teams should combine training, clear policy, and simple workflows so the approved process is easier than the old one. Users need to understand why plain-text storage is risky and what the replacement process looks like in day-to-day work. If adoption is not measured, bypass habits will return.
👉 Read our full editorial: Password managers for NGOs reveal the real governance gap