Password Managers for SMEs: Bitwarden, 1Password, Proton Pass, and NordPass Compared

Managing passwords across a team has been a long-standing headache for many companies. Credentials get shared through chat tools for speed, stored in shared Word or Excel files, or reused in simple patterns so finding the right password for the next login doesn’t take too long. Onboarding (and offboarding) staff adds another layer of complexity, never mind managing two-factor authentication codes across the team. This kind of complexity is daily life in many SMEs, and as long as nothing happens, the need to act often goes unrecognised. Over time, the “manual way” of managing passwords can grow into a serious problem. In the second half of 2025 alone, the Federal Office for Cybersecurity (BACS) recorded 29,006 voluntary reports and 145 mandatory cyber incident reports, with credential theft among the most common attack types.

This dynamic is now a frequent driver behind SMEs in Switzerland eventually adopting a password manager. The trigger is rarely a single weak login but the missing overview. Who has access to what, who had access before they left, and how fast can you respond after a data breach? A central vault with an admin panel solves this structurally and at the same time supports the “appropriate technical and organisational measures” that the nDSG requires for the processing of personal data.

Across the Swiss and DACH market for SMEs, four vendors essentially dominate, namely NordPass, 1Password, Bitwarden, and Proton Pass. This comparison shows where they differ structurally and which manager fits which kind of team.

What all four vendors share

Before turning to the differences, it’s worth noting the common ground. All four vendors build their vaults on zero-knowledge architecture. The encryption key is derived from your master password on your device, and the vendor never sees the plaintext content of your vault. Even after a successful server breach or a court order, only encrypted data blocks can be handed over.

All four support passkeys, TOTP codes, password sharing within vaults, cross-device synchronisation, and browser extensions for the major browsers. All four also offer business customers a Data Processing Agreement that covers the requirements of Art. 9 nDSG.

The differences sit in architecture, server location, depth of admin features, and pricing structure. Those are exactly the dimensions we look at next.

What SMEs in Switzerland should weigh up

Anyone choosing a password manager for a team should be clear on four points up front:

• Identity provider and SSO. If your team already authenticates with Microsoft Entra ID, Okta, or Google Workspace, you’ll want to wire the password manager up via SAML SSO, so joiners and leavers are managed centrally. For teams without an identity provider, this is not a concern.
• Server location and compliance. For SMEs subject to the nDSG, it matters in which country the encrypted vault data sits and which legal regime applies to the vendor. In particularly sensitive sectors such as fiduciary services, law firms, or healthcare, server location can be a deal-breaker.
• Usability for non-technical staff. A password manager only helps if everyone uses it. A clunky interface pushes people back to sharing logins by email or chat.
• Budget and billing logistics. Per-seat prices are moderate across the board, but the bundle makes the difference. If you already pay for Microsoft 365 or Google Workspace, think of the password manager as part of that decision rather than in isolation. Bank transfer in CHF instead of a credit card in USD is a real advantage for finance departments in Switzerland.

With that frame in mind, the four vendors in detail.

NordPass Business

NordPass is the password manager from Nord Security, the Lithuanian company behind NordVPN. The architecture is built on XChaCha20 encryption with a zero-knowledge principle. The vault is encrypted locally before it ever reaches the servers. The browser extension and desktop apps are designed for users with little tool experience, which makes rollout in non-technical teams straightforward.

NordPass offers business customers three tiers, namely Teams, Business, and Enterprise. The Teams tier includes single sign-on with Google Workspace; full SAML SSO with Entra ID, Microsoft ADFS, and Okta plus SCIM provisioning is only available on the Enterprise plan. Activity logs, data breach scanner, and password health dashboard are included from the Business tier upward. For a small team without an identity provider, NordPass Teams is enough; an SME with Entra ID or Okta should plan for Enterprise from the start.

NordPass Business is a pragmatic choice for SMEs looking for a proven, easy-to-use manager with no specific requirements around open source, self-hosting, or a Swiss server location. The integration with the wider Nord ecosystem (NordVPN, NordLayer, NordLocker) is a plus for teams already running other Nord Security tools.

What NordPass does not provide is self-hosting, open-source clients, or a native Travel Mode like 1Password.

Current pricing and plans on the NordPass Business page. More detail in the NordPass guide.

1Password Business

1Password is developed by Canadian AgileBits and has been on the market since 2005. The key structural difference from competitors is its dual-key architecture. The vault is encrypted with AES-256-GCM, but the key is derived from two components, namely your master password and an additional 128-bit Secret Key stored locally. Even an attacker who steals the encrypted vault data from the vendor cannot get through with a brute-force attack on the master password alone, because they lack the Secret Key.

For teams, 1Password Business offers SAML SSO with the major identity providers, SCIM provisioning, activity logs, granular vault permissions, and a Travel Mode that temporarily removes selected vaults from the device. Watchtower monitors the vault for reused, weak, and breached credentials and flags services where you do not yet have a passkey or 2FA configured.

1Password’s strengths sit in the depth of its admin features, the polish of its interface, and its developer tooling (SSH agent, CLI, API integration). For teams with an engineering share, that’s an argument the other three vendors do not match in the same way.

Self-hosting, open-source clients, and a Swiss base are absent. Per-seat pricing sits above Bitwarden and usually above NordPass too.

Current pricing and plans on the 1Password Business page. More detail in the 1Password guide.

Bitwarden Teams and Enterprise

Bitwarden is the only one of the four vendors whose server code and clients are open source and which offers an official self-hosting option. The company is based in Santa Barbara, California. Encryption uses AES-256-CBC plus HMAC-SHA-256, with keys derived from your master password via PBKDF2 or Argon2.

For teams, Bitwarden offers two business tiers. Bitwarden Teams covers vault sharing, an admin panel, and password health reports. SAML SSO and SCIM provisioning are only included on the Enterprise plan. So a small team without an identity provider can get away with Teams; once Entra ID or Okta enter the picture, Enterprise is the right tier.

Bitwarden’s central strength is the combination of open source, low price, and the option to run the server yourself. For SMEs with their own IT team that wants to operate a Bitwarden server in their own infrastructure (or with a Swiss hosting provider), that is a unique selling point. Self-hosting also shifts the nDSG question, since a third party is no longer the data processor; your own organisation processes the data under its own responsibility.

How Bitwarden handles security incidents can be seen in the supply chain attack on the CLI package on 22 April 2026. The tampered npm version was online for around 90 minutes and targeted developer environments that updated the package during that window. Vault data and the cloud infrastructure were not affected. Bitwarden promptly published an official statement and a clean version 2026.4.1.

The interface is functional but less polished than 1Password’s or NordPass’s. Onboarding a team of non-technical people involves a bit more friction. Travel Mode is missing, and Proton Pass’s Hide-My-Email aliases have no comparable feature in Bitwarden. Emergency Access is restricted to personal (Premium or Family) accounts and is not part of the business plans.

Proton Pass for Business

Proton Pass is the youngest of the four options, from Proton AG, headquartered in Geneva. Vault data sits in data centres in Zurich and Frankfurt, both operated directly by Proton. Unlike the other three vendors, not only the passwords themselves but also the metadata are zero-access encrypted. Vault names, item titles, tags, and the sharing structure (for example, the fact that the “Finance” vault is shared between the CFO and accounting with read access) remain invisible to Proton.

Pass Professional offers SAML SSO with Entra ID, Okta, Google Workspace, and Cisco Duo, plus SCIM provisioning with Entra ID and Okta, activity logs, a CLI, and SIEM integration. Hide My Email aliases through the SimpleLogin integration are included natively, for example [email protected], rather than only as an external add-on.

The Proton Business Suite bundles Pass with Mail, Drive, Calendar, and VPN under one admin panel. As soon as a team uses more than just credentials from Proton, the suite is cheaper than the individual subscriptions. For SMEs in Switzerland, paying by bank transfer in CHF is a concrete advantage in procurement.

Travel Mode, a nested folder hierarchy inside vaults, and a native bridge to on-prem Active Directory without an upstream identity provider are missing. The browser extension does not yet support biometric unlock, and Android autofill is the most frequent piece of user feedback in daily use. Teams that lean Android-heavy should pilot the mobile app with a small group before a full rollout.

Current pricing and plans on the Proton Pass Business page. More detail in the Proton Pass guide.

Side-by-side comparison

Which password manager fits your SME?

Asking which password manager is “the best” rarely takes you anywhere. Asking which tool fits which team is more useful.

For small teams of 3 to 15 people without an identity provider. NordPass Teams or Business covers this convincingly. Rollout is done in a few hours, the interface is intuitive even for non-technical people, and the admin features are sufficient at this size. Once you later introduce Entra ID or Okta, the jump to the NordPass Enterprise plan becomes necessary, since SAML SSO and SCIM only unlock there.

For engineering- or developer-heavy teams that need mature integration. 1Password Business is the obvious pick. The SSH agent, CLI, browser extension, and Watchtower are mature, and the dual-key architecture is an extra safety net for a high-value vault inventory. Travel Mode matters for anyone who regularly crosses borders with sensitive credentials on the device.

For teams running their own IT infrastructure that want to keep vault data inside Switzerland. Bitwarden with self-hosting on a Swiss virtual machine is the variant where you become both the controller and the processor of the data. That removes a whole compliance discussion from the table and fits fiduciary firms, law firms, or specialised SMEs whose own compliance requirements go beyond the usual standard. It does require a small but real operational effort. Regular patching plus creating and testing backups are important parts of the picture.

For teams that want as much as possible under Swiss law and from a single vendor. The Proton Business Suite, with Pass, Mail, Drive, Calendar, and VPN under one admin panel, is the most consolidated variant, even though Proton Pass is still relatively new on the market compared with the others. Paying by bank transfer in CHF and the Geneva headquarters are a plus for nDSG documentation that can pay off in procurement.

What to clarify before rollout

Whichever vendor you choose, a few preparations are worthwhile:

1. Inventory the credentials currently in use. Where do passwords sit today, whether in browsers, in Excel files, in shared notes, or in a local password manager like KeePass? That list is the basis for the migration.
2. Plan the vault structure before you migrate. One vault per team or per function (Marketing, Finance, Engineering, and Admin), plus a personal vault per user. Restructuring after the fact takes much more time than planning it up front.
3. Request the Data Processing Agreement in writing. All four vendors provide a DPA. With some you have to actively accept it in the admin panel; others you have to request from sales. Store the document in your compliance folder. More context on the Swiss DPA is in the article on Data Processing Agreements in Switzerland.
4. Enforce 2FA on all accounts. A master password plus a second factor is the minimum. For admin accounts, hardware keys (YubiKey or Titan Key) are recommended over TOTP stored in the same password manager.
5. Define joiner and leaver processes. Who provisions new users, who revokes access on departure, and how is it documented? Without a clear process, organisations end up back at the same overview problem within months.
6. Pilot with a small group. Have a handful of people from different functions test the new tool for a few days or weeks before the whole team gets access. That helps surface issues with browser setups, mobile apps, or specific web forms early.
7. Review the setup yearly. Vendors change sub-processors and features, your team grows, and new identity providers get added. A short annual review keeps the setup current and produces the documentation that the nDSG expects in a dispute.

How a password manager fits alongside a VPN and other building blocks in a Swiss security stack is covered in our guide VPN and Password Manager: Which Ones Are Actually Worth Paying For?.

---

NeoGuard may earn a commission if you purchase through our links. This does not affect our editorial recommendations. See our privacy policy for details.