Someone on your team knows the password to your tax software portal. Maybe they wrote it on a Post-it. Maybe it’s in a shared spreadsheet titled “Logins - DO NOT DELETE.” Maybe it’s just Dave, and Dave is leaving in three weeks.

The Problem: Informal Password Habits Are Running Your Firm’s Security

Let’s be honest about how most small CPA firms actually manage credentials. There’s the shared admin login for your document portal. The firm-wide password for your IRS e-file software that five people know. The QuickBooks access someone set up in 2019 that hasn’t been changed since. And somewhere, probably, a spreadsheet.

None of this feels alarming on a Tuesday morning when everyone’s focused on client deadlines. But each of those shared credentials is an unlocked door—and you don’t always know who has the key.

Shared passwords and informal credential habits are among the most common entry points for data breaches at small professional services firms. What makes this especially maddening is that they rarely show up on anyone’s security checklist. Firms worry about phishing. They worry about antivirus. But the question “who has access to what, and can we prove it?” often gets ignored until something breaks.

Staff turnover makes it worse. When an employee leaves—whether on good terms or not—do you know every system they could still access? Can you revoke it all in an afternoon? If your honest answer is no, that’s the problem this post is about.

Password management isn’t a tech upgrade. It’s an operational risk hiding in plain sight.

Why This Matters for CPA Firms

Accounting firms handle some of the most sensitive data that exists: Social Security numbers, bank account information, tax returns, business financials. That makes you a target. It also makes you accountable.

The IRS takes this seriously. IRS Publication 4557, “Safeguarding Taxpayer Data,” explicitly requires tax professionals to protect client information—and it identifies access controls as a core requirement. That means knowing who can access taxpayer data, limiting access to those who need it, and being able to prove that control exists.

Your Written Information Security Plan (WISP)—which the IRS now requires all tax preparers to maintain under the Gramm-Leach-Bliley Act (GLBA)—must document how your firm protects client data. If your WISP says “employees use secure, unique passwords and access is revoked upon termination,” but your actual practice is a shared spreadsheet and a prayer, that’s a compliance gap. During an audit or after a breach, that gap becomes your liability.

Beyond the IRS, the Federal Trade Commission (FTC) Safeguards Rule (updated in 2023) applies to tax preparers as “financial institutions” under GLBA. It requires administrative, technical, and physical safeguards for customer financial data—including access controls and authentication.

Weak credential practices don’t just put your clients at risk. They put your firm’s license, reputation, and professional standing at risk.

How to Actually Fix This: A Realistic Credential Management Approach

The good news: this is solvable. Here’s a practical framework for firms with 10 to 50 staff who aren’t necessarily thrilled about changing how they work.

Step 1: Start with a Credential Audit

Before you buy anything, get honest about what you’re dealing with. Make a list of every system your firm uses—tax software, document portals, email, practice management tools, cloud storage, client accounting platforms. For each one, ask: How many people have access? Are credentials shared? When was the password last changed? Who would notice if access was revoked?

You don’t need to solve everything at once. But you need to see it clearly.

Step 2: Choose a Business-Grade Password Manager

Consumer password managers like LastPass Personal or browser keychain features are fine for individual use. They’re not built for a firm. Here’s what to look for:

  • Centralized administration—your IT administrator (or IT partner) can manage all accounts, reset access, and see who has access to what
  • Role-based permissions—you can give a staff accountant access to client portals without giving them access to payroll systems
  • Offboarding controls—when someone leaves, you can revoke their access to the password vault immediately and reassign credentials without revealing them
  • Audit logs—you can see who accessed which credentials and when. This directly supports your WISP documentation
  • Secure sharing—credentials can be shared between team members without anyone actually seeing the raw password

Tools worth evaluating for firms your size include 1Password Business, Bitwarden for Business, and Keeper Security. Each has slightly different strengths around admin controls and integrations—the right choice depends on your existing tech stack.

Step 3: Roll It Out Without Breaking Your Team

Resistance to change is real. Here’s what works:

  • Don’t mandate everything at once. Start with two or three high-risk systems—your tax software, your document portal, your email admin account. Get the team comfortable there before expanding.
  • Train on the “why,” not just the “how.” People change behavior when they understand the risk. A 20-minute team meeting explaining what happens when a former employee still has access to client files goes further than an IT policy memo.
  • Make it easier than the old way. Browser extensions, mobile apps, and autofill mean a password manager should be faster than finding that spreadsheet. Lead with convenience.
  • Assign an internal champion. One person who learns the tool well and can answer peer questions. This doesn’t have to be your most technical person.

Step 4: Document It

Once your password manager is in place, update your WISP to reflect your actual practices. Document how credentials are created, who has administrative access to the vault, and what your offboarding process looks like. This is what turns a tech tool into a compliance asset.

What to Look for in an IT Partner

Not every managed IT provider understands the compliance context surrounding a CPA firm’s technology decisions. When you’re evaluating whether an IT partner can help you with credential management, ask these questions:

  • Have you worked with tax preparers subject to IRS Publication 4557 and the FTC Safeguards Rule? A provider who knows these requirements won’t need you to explain why this matters.
  • Can you help us document our credential management practices in our WISP? This is the bridge between technology and compliance that many IT providers skip.
  • How do you handle offboarding? A good provider has a documented process for revoking access across all systems—not just the ones they manage.
  • What business-grade password managers do you recommend and support? If the answer is “whatever you want,” that’s a signal they haven’t thought it through for your industry.
  • How will you train our staff? Rollout support matters more than the tool itself.

The Bottom Line

Shared passwords and informal credential habits aren’t just sloppy—they’re a compliance exposure and an operational liability that gets worse every time someone joins or leaves your firm. A business-grade password manager, rolled out thoughtfully, closes that gap and gives you the audit trail your WISP requires. This isn’t complicated. It’s just a conversation most firms keep putting off.

Frequently Asked Questions

What is the best password manager for a small accounting firm?

Business-grade tools like 1Password Business, Bitwarden for Business, and Keeper Security work well for small accounting firms because they offer centralized admin controls, audit logs, and secure credential sharing. The right choice depends on your firm’s size, existing software, and IT support structure. Consumer-grade password managers lack the administrative controls firms need to manage access across a team and satisfy compliance requirements.

Does the IRS require CPA firms to use a password manager?

The IRS doesn’t mandate a specific tool, but IRS Publication 4557 requires tax preparers to implement access controls that protect taxpayer data. Your Written Information Security Plan (WISP)—required under the Gramm-Leach-Bliley Act for tax preparers—must document how your firm controls who can access sensitive systems. A password manager with audit logs and role-based access is one of the most practical ways to satisfy those requirements.

How do I handle password manager access when an employee leaves my firm?

With a business-grade password manager, an administrator can immediately revoke a departing employee’s access to the vault and all credentials stored in it. Credentials can then be rotated and reassigned to other staff without exposing the underlying passwords. This beats shared spreadsheets or email-stored credentials, where offboarding requires manually changing every password the employee may have known.

Are password managers safe for storing client-sensitive credentials?

Yes—reputable business-grade password managers use strong encryption (typically AES-256) and zero-knowledge architecture, meaning even the password manager vendor cannot see your stored credentials. They’re significantly more secure than spreadsheets, shared documents, or browser-saved passwords, all of which lack encryption at rest and administrative access controls. For firms handling taxpayer data, a well-configured password manager is not just safe—it’s the responsible standard.

If you’re working through credential management and compliance challenges at your firm, let’s talk. One82 works exclusively with CPA firms, law firms, and financial advisory companies in the Bay Area—we know your world.