Password Managers for Indian Teams: Zero-Knowledge Explained

A week before this article went up, I watched a mid-sized Indian company lose a customer account because a vendor's shared credential went into a Google Doc called "Shared Passwords (NEW)". Three different people had three different versions. The one that was actually current had been overwritten accidentally. The customer had signed a contract with them on the strength of "your team has this handled". It was embarrassing in exactly the way corporate IT is always embarrassing — quietly, avoidably, with a Google Doc.

If you run a team in India and your answer to "how do you share the AWS root login?" is anything involving a chat message, a document, or "Rohan's memory", this article is for you.

What a corporate password manager actually is

A corporate password manager (or credential vault) is a service where:

• Every team member has their own encrypted vault for personal logins.
• The organisation has shared vaults for team credentials, scoped by role.
• A browser extension auto-fills logins on websites.
• Administrators see who accessed what and when, and can revoke access instantly.
• The service never, ever sees your actual passwords in plain form — this is the "zero-knowledge" part, and it's the word you want to hold vendors to.

What "zero-knowledge" actually means (the two-minute version)

This is the crypto concept that every reputable password manager uses, and that vendor marketing almost always bungles.

1. When you sign up, you pick a master password.
2. Your device runs that master password through a slow, intentional key-derivation function (usually PBKDF2 or Argon2 with 600,000+ iterations). Out comes a master encryption key.
3. Every credential you store is encrypted on your device with that key before it touches the network.
4. What the vendor's servers receive and store is ciphertext — scrambled bytes they cannot read.
5. When you want to retrieve a password, your device downloads the ciphertext and decrypts it locally using your master key.

The vendor never sees:

• Your master password.
• Your master key.
• Your actual credentials.

If the vendor is breached tomorrow, the attacker gets a pile of encrypted blobs that are useless without every user's master password — and those were never uploaded in the first place.

That's zero-knowledge. It's mathematical rather than promissory. It's the difference between "we won't look" and "we can't look".

Why Indian teams need this

Four specific pressures that hit Indian MSMEs hard:

1. Shared vendor accounts

The SaaS stack is heavy: Razorpay, Zerodha, AWS, GoDaddy, Freshdesk, a dozen more. Most don't offer SSO on affordable plans, so teams share logins. In a shared-credential world, a password manager is not optional — it's the only safe way.

2. Contractor and vendor access

Indian businesses heavily use contractors and external vendors. They need temporary access to credentials, and you need to revoke cleanly when the engagement ends. "Change the password" is the wrong answer because you have to re-share it with everyone else. Temporal access (time-boxed sharing that auto-expires) is the right answer.

3. Offboarding

When someone leaves, you need to know: what did they have access to? Without a corporate vault, the answer is "everything they touched, ever, forever". With a vault, you can revoke all shared credentials in one action and review what was accessed in the last 30 days.

4. DPDP Act and upcoming compliance

The Digital Personal Data Protection Act (2023) raises the bar on how Indian companies handle personal data. A shared credentials document is a breach-waiting-to-happen; a vault with audit logs is a defensible control.

Evaluation criteria for an Indian MSME

Eleven questions. Ask every vendor. Don't accept marketing-page answers.

1. Is it zero-knowledge? If they say "we encrypt your data" but can't explain the key derivation, they aren't zero-knowledge.
2. What's the KDF and iteration count? Argon2id or PBKDF2 with 600,000+ iterations is current standard.
3. Browser extension coverage. Chrome, Firefox, Edge at minimum. Extra credit for multi-step login flows.
4. Team-based sharing with granular access. Can you share a credential with "Finance team" but not specific members within it? Can you set read-only?
5. Temporal access. Can you share a credential that auto-expires on a date?
6. Audit logs. Who accessed what, when, from where. Exportable.
7. Session management. Can you force-log-out a user from all devices? Revoke a specific device?
8. Security score / dashboard. Does it flag reused passwords, weak passwords, breach-exposed credentials?
9. SSO integration. Does it integrate with your existing SSO (or directory like Active Directory)?
10. Import from what you have today. Can it ingest CSV exports from Google Password Manager, 1Password, Bitwarden, LastPass, or a messy spreadsheet?
11. Data residency and backup policy. Where is the encrypted ciphertext stored? How often is it backed up? What's the restore RTO if the vendor has an outage?

The sharing model matters more than the feature list

The single most misused feature in every corporate vault is sharing. Teams either:

• Share everything with everyone — the "whole-company vault" that defeats the purpose.
• Share narrowly but forget to re-share — new hires can't do their job because the credential wasn't inherited.
• Share without expiry — contractors from 18 months ago technically still have access to production.

A good vault makes the right thing easier:

• Group-based sharing ("Engineering" instead of listing six people) so new hires inherit access automatically.
• Expiry defaults on contractor shares.
• Recommendations surface unused access so admins can prune.

A quick comparison of common options

Typical 2026 positioning for Indian MSME buyers:

Product	Zero-knowledge	Starting price (per user / month)	India billing	Highlights
1Password Business	Yes	USD $7.99 (₹665)	USD only	Mature, widely used
Bitwarden Teams	Yes	USD $4 (₹335)	USD only	Open-source option
Dashlane Business	Yes	USD $8 (₹665)	USD only	Strong UX
Google Password Manager	Partial (not enterprise)	Free (personal)	Yes	Not a team product
Unit by Hives.cloud	Yes	₹149	Yes, GST-ready	Built for Indian teams; temporal access by default

Pricing is approximate from publicly listed vendor sites; last verified April 2026.

What Unit is designed around

Unit is Hives.cloud's corporate password manager. It's zero-knowledge (Argon2-based key derivation), ships with Chrome/Firefox/Edge extensions, supports team-based sharing with access policies, bakes in temporal access with expiry dates, and gives admins a security score dashboard plus field-level audit logs. Unit is built for Indian MSMEs specifically — INR pricing, GST-ready invoices, English + Hindi support. Plans start at ₹149/user/month.

The feature I'd draw attention to most: temporal access by default. Most vendors treat expiry as an advanced feature. We treat it as the default assumption — contractors, short engagements, one-off handoffs are how Indian teams actually work, and credentials should expire without requiring a reminder to revoke them.

Migration from what you're using today

Regardless of what you pick, the migration looks roughly like:

1. Inventory — ask every team lead for a list of credentials they use. Expect ~3x more than you think.
2. Categorise — personal (not the vault's problem), team-shared (main target), vendor-owned (scope and offboard).
3. Import — export to CSV from whatever you use today; import into the new vault.
4. Group structure — set up teams in the vault to match reality, not your org chart.
5. Deprecate the shared doc — rename the old Google Doc to "DELETE 2026-06-01" and actually delete it.
6. Train for 20 minutes — demo the browser extension; show sharing, revocation, temporal access.
7. Enforce MFA on the vault itself — the vault is now the single most valuable login. Don't leave it with just a password.

Step 5 is the step people skip. The old shared doc quietly refills itself over the next 90 days if you don't delete it.

FAQs

If I forget my master password, can the vendor reset it? No — that's the trade-off for zero-knowledge. The vendor cannot decrypt your vault. Most vendors provide recovery codes or emergency access delegation; store these carefully offline.

Can the vendor's staff see my passwords? If the vendor is actually zero-knowledge, no — not even with full server access. They see ciphertext only.

What about breach risk? A zero-knowledge vault vendor has been breached in the past (LastPass, 2022). The encrypted vaults were stolen. Because they were zero-knowledge, decrypting them requires the master password. Users with weak master passwords were at risk; users with strong ones were protected. Moral: your master password is the single point of failure. Make it long and unique.

Does a password manager replace SSO? No. SSO (single sign-on) reduces the number of credentials you have; a password manager safely stores the ones you still have. Most Indian MSMEs need both, because not every vendor offers SSO on affordable tiers.

Is the browser extension safe? Browser extensions have risks (they can theoretically be compromised via a supply-chain attack). The reputable vendors sign their releases, auto-update, and publish security audits. Check for a recent third-party audit — within 12 months ideally.

How do we handle personal credentials vs company credentials? Use the corporate vault for anything the company owns; use personal vaults (usually included with the same subscription) for personal credentials. Don't mix them — a leaving employee shouldn't lose access to their own Netflix login, but should lose the company's AWS account.