The best password manager for a nonprofit organization is 1Password Teams, which offers verified nonprofit discounts, granular vault permissions, and AES-256 encryption with a zero-knowledge architecture — all without requiring a dedicated IT department to manage it. For nonprofits with tighter budgets or a preference for open-source-adjacent transparency, Keeper Security and NordPass are strong alternatives.
What You'll Accomplish — and Why It Matters for Nonprofits
Nonprofits handle sensitive donor records, grant portal credentials, banking logins, and volunteer accounts — often with high staff turnover and limited IT support. A misconfigured shared spreadsheet or a single reused password is one of the top causes of data breaches in the sector. This guide walks you through selecting the right tool, purchasing it at a nonprofit rate, onboarding your team, and verifying that everything is locked down correctly.
By the end, your team will have a centralized, encrypted vault, role-based access to credentials, and a documented offboarding process for departing staff.
Prerequisites / What You'll Need
- An organization email domain (e.g.,
yourorg.org) — free personal Gmail accounts won't qualify for nonprofit pricing - Administrator access to your organization's email DNS (for domain verification during account setup)
- A TechSoup account (free to register) if you plan to claim 1Password's nonprofit discount — verification takes 1–5 business days
- A list of all current shared credentials (donor CRM login, grant portals, social media, banking, email newsletter platform) — export from your existing spreadsheet or LastPass/Bitwarden if migrating
- At least one designated "Vault Admin" — the person responsible for approving new member access
- Devices running macOS 13+, Windows 10/11, iOS 16+, or Android 12+ for the browser extension or native app
- Credit card or PayPal for billing (nonprofit invoicing available on request through 1Password's sales team)
Step 1: Confirm Your Nonprofit Discount Eligibility
Nonprofit pricing isn't automatic — you have to apply. 1Password partners with TechSoup to verify 501(c)(3) status (or equivalent for non-US organizations). Go to 1password.com/teams/nonprofits, click "Apply through TechSoup," and complete the verification form. TechSoup typically confirms status within 1–5 business days.
Once verified, 1Password Teams drops from $19.95/month (10-user base, billed annually) to approximately $14/month for the same tier — TechSoup posts the exact discount amount in your offer dashboard, and it changes periodically, so check the portal rather than trusting a cached number.
Gotcha: If your nonprofit isn't registered on TechSoup yet, create the TechSoup account before starting the 1Password trial. The 14-day trial clock starts on signup, and TechSoup verification can take longer than expected if you need to submit IRS determination letters.
Step 2: Create Your 1Password Teams Account and Configure Account Settings
Go to 1password.com and start the Teams plan trial. During setup, you'll be prompted to:
- Set a master account password (minimum 10 characters; 1Password's strength meter enforces entropy, not just length)
- Download and save your Emergency Kit PDF — this contains your Secret Key, a 34-character string that is combined with your master password to derive your encryption key using PBKDF2-SHA256. Print two copies and store them in separate physical locations.
- Enable two-factor authentication under Settings → Security → Two-Factor Authentication. For nonprofits, I recommend WebAuthn (hardware keys like YubiKey 5 Series) for admins and TOTP via an authenticator app (Google Authenticator, Authy) for general staff. SMS is available but not recommended.
Under Settings → Policies, enforce:
- Strong Master Password requirement (minimum 12 characters)
- Two-Factor Authentication required for all members
- Clipboard clearing after 90 seconds
Expected output: After saving policies, any new team member who signs in without 2FA will be blocked at login and shown a setup prompt before gaining vault access.
Step 3: Create Vaults Mapped to Your Nonprofit's Departments
Don't dump everything into one shared vault. In 1Password Teams, go to Vaults → New Vault and create separate vaults for logical access groups:
| Vault Name | Who Has Access |
|---|---|
| Finance & Banking | Executive Director, Finance Manager |
| Donor CRM | Development Team |
| Social Media | Communications Staff |
| IT & Admin | Vault Admins only |
| All-Staff Shared | Everyone (read-only for most) |
Assign vault permissions per group under People → Groups. Create groups first (Finance, Development, Communications, Admin), then assign vaults to groups rather than individuals — this makes offboarding dramatically faster.
Gotcha: 1Password Teams doesn't support fine-grained item-level permissions within a vault — access is vault-wide. If a volunteer should only see the Twitter login and nothing else in the Social Media vault, put that one item in a separate "Volunteer Social" vault. It's a real limitation, and it's worth knowing upfront.
Step 4: Invite Team Members and Run Onboarding
From People → Invite People, enter each team member's work email. They'll receive an invitation link valid for 7 days. Walk first-time users through:
- Installing the 1Password browser extension (Chrome, Firefox, Edge, Safari, Brave — all supported)
- Installing the desktop app (macOS, Windows, Linux available)
- Signing in with their email + master password + Secret Key (from their personal Emergency Kit PDF)
- Setting up TOTP on their authenticator app
For nonprofits with volunteers who rotate frequently, create a dedicated Volunteer group with access only to the Volunteer-specific vault. When a volunteer leaves, remove them from the group — the vault credentials are not exposed to them after removal, and you should rotate any credentials they had access to within 24 hours of departure.
Expected output: After accepting the invite and completing setup, new members should see only the vaults their group has been granted. They should not see the Finance vault unless explicitly added.
Step 5: Migrate Existing Credentials into 1Password
If your team currently stores passwords in a spreadsheet, export it as a CSV with columns: Title, Username, Password, URL, Notes. In 1Password, go to File → Import → CSV and map the columns to 1Password fields.
If migrating from another password manager:
- LastPass: Export via LastPass Account Settings → Advanced → Export. Import the
.csvdirectly into 1Password using the LastPass import option. - Bitwarden: Export as unencrypted JSON from Bitwarden's web vault, then use 1Password's Bitwarden importer.
- KeePass: Export as
.csv(uncheck password masking), import via 1Password's CSV importer.
Gotcha: Delete the exported CSV file immediately after import. An unencrypted credential export sitting in your Downloads folder is a significant security risk. Verify in 1Password that the items imported correctly before deleting the source.
Step 6: Set Up Admin Alerts and Activity Log Monitoring
Under Settings → Reporting, enable the Activity Log. This records every vault access event, password view, and member change. For nonprofits subject to grant compliance or audit requirements, export this log quarterly and store it with your compliance records.
Set up email alerts for:
- New device sign-ins
- Failed authentication attempts (5+ in 1 hour triggers a flag)
- Vault sharing outside the organization
1Password doesn't currently send Slack or Teams alerts natively in the Teams tier — that integration requires 1Password Business at $7.99/user/month (billed annually, no seat minimum). For most nonprofits, email alerts are sufficient.
Verification — Confirm Everything Is Working
After completing setup, run through these checks:
- Vault isolation test: Log in as a general staff member and confirm you cannot see the Finance vault or any items in it.
- 2FA enforcement test: Attempt to sign in from a new browser session without an authenticator code — you should be blocked at the 2FA prompt.
- Password generation test: Use the 1Password extension to generate a new 20-character password with symbols, numbers, and mixed case. Confirm it saves to the correct vault automatically.
- Offboarding test: Suspend a test account (People → [Name] → Suspend). Confirm the suspended user cannot log in and receives an "account suspended" error.
- Emergency Kit test: Verify one team member can use their Emergency Kit PDF to recover access on a new device without involving the admin.
You should see: All five checks pass without error. If the vault isolation test fails and a general staff member can see the Finance vault, re-check the group assignment under People → Groups → Finance → Vaults.
Recommended Tools
1. 1Password — Best Overall for Nonprofits
1Password Teams is the pick I've consistently recommended for nonprofits since the per-seat pricing, nonprofit discount pathway, and zero-knowledge architecture make it the most practical fit for organizations managing a mix of staff and volunteers.
Pricing:
- Teams: $19.95/month for 10 users, billed annually ($1.99/user/month for users 11+)
- Business: $7.99/user/month, billed annually, no seat minimum
- Nonprofit/TechSoup rate: approximately 30% off Teams, confirmed at signup through TechSoup portal
Encryption: AES-256-GCM for data at rest; TLS 1.3 in transit. Key derivation uses PBKDF2-SHA256 with your master password + Secret Key combined.
MFA: TOTP, WebAuthn/FIDO2, hardware security keys (YubiKey 5 Series, Google Titan). Duo push available on Business tier.
Audit: SOC 2 Type II certified; third-party penetration testing conducted annually. Bug bounty program active on HackerOne.
Jurisdiction: 1Password is headquartered in Toronto, Canada. Data is subject to PIPEDA and stored in AWS data centers.
Platforms: macOS, Windows, Linux, iOS, Android, Chrome, Firefox, Edge, Safari, Brave.
Honest limitation: Item-level permissions don't exist within a vault — access is all-or-nothing per vault. For large nonprofits with complex access hierarchies, this requires careful vault architecture.
Try 1Password — best nonprofit discount pathway and the most intuitive onboarding for non-technical staff.
2. Keeper Security — Best for Nonprofits Needing Compliance Documentation
Keeper Security is worth serious consideration if your nonprofit is subject to state-level privacy regulations, handles healthcare-adjacent data (see our guide to HIPAA-compliant password managers for more on that scenario), or needs a detailed compliance report for grant auditors.
Pricing:
- Keeper Business: $4.00/user/month, billed annually, 5-user minimum ($240/year for 5 users)
- Keeper Enterprise: $5.00/user/month, billed annually, 10-user minimum — adds SSO, advanced AD integration
- Nonprofit discount: Keeper offers verified nonprofit pricing through its sales team; publicly documented starting rate is 20% off Business tier ($3.20/user/month)
Encryption: AES-256-CBC for vault data; RSA-4096 for record-level key exchange between users. Key derivation uses PBKDF2-SHA256.
MFA: TOTP, WebAuthn/FIDO2, hardware keys (YubiKey), Duo, RSA SecurID, push notifications via Keeper DNA.
Audit: SOC 2 Type II, ISO 27001, FedRAMP Authorized (government cloud). Third-party audited by independent assessors annually.
Jurisdiction: Keeper is headquartered in Chicago, Illinois, USA. Subject to US law; EU data stored in EU data centers for GDPR compliance.
Platforms: macOS, Windows, Linux, iOS, Android, Chrome, Firefox, Edge, Safari.
Honest limitation: The admin console UI is more complex than 1Password's — expect a steeper learning curve for a volunteer or part-time IT admin.
Try Keeper Security — strongest compliance documentation suite for nonprofits facing formal audits.
3. NordPass — Best for Budget-Constrained Nonprofits
NordPass is the leanest option here in terms of price, and it's part of the Nord Security ecosystem (same company as NordVPN — worth pairing with a VPN for your remote staff if you don't already have one).
Pricing:
- NordPass Teams: $1.79/user/month, billed annually, 10-user minimum ($214.80/year for 10 users)
- NordPass Business: $4.99/user/month, billed annually, no seat minimum
- Nonprofit pricing: Not publicly listed; contact Nord's sales team — the Teams tier's low base price makes it competitive even without a discount
Encryption: XChaCha20 for vault data (an alternative to AES-256 with equivalent security margin and better performance on devices without AES hardware acceleration). Key derivation uses Argon2id.
MFA: TOTP, hardware keys (FIDO2/WebAuthn), biometric authentication on mobile.
Audit: SOC 2 Type II by an independent auditor (2023). Nord Security overall subject to annual independent audits.
Jurisdiction: Nord Security is headquartered in Panama, with European operations in the Netherlands. GDPR-compliant for EU users.
Platforms: macOS, Windows, Linux, iOS, Android, Chrome, Firefox, Edge, Safari.
Honest limitation: NordPass lacks item-level sharing granularity and the activity log features on the Teams tier are less detailed than 1Password's or Keeper's — a meaningful gap if you need audit trails.
Try NordPass — the lowest per-seat cost of any audited password manager in this guide.
Troubleshooting
Issue 1: "Your invitation has expired" when a new team member tries to accept
Invitations expire after 7 days. In the admin console, go to People → [Member Name] → Resend Invite. The new link is valid for another 7 days. Tip: batch-invite staff during a scheduled onboarding session to prevent expiration delays.
Issue 2: "Secret Key not recognized" during new device login
The Secret Key is case-sensitive and hyphen-delimited (format: A3-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXX). Ask the user to locate their Emergency Kit PDF (printed during setup) and re-enter the key exactly. If the PDF is lost, an admin can revoke that device and the user can re-authenticate from a device where they're already signed in, then generate a new Emergency Kit from Account Settings.
Issue 3: Browser extension not auto-filling on a specific site (e.g., donor CRM)
Some single-page apps break standard form detection. Click the 1Password extension icon, search for the credential manually, and click the fill icon. Then go to the item in the vault, open Edit, and add the site's exact URL to the "Websites"