1Password is the best password manager for nonprofit organizations in 2026. It offers a verified nonprofit discount that brings team pricing down to $19.95/month for up to 10 users (billed annually), includes SOC 2 Type II certification, AES-256-GCM encryption, and a Secrets Automation feature that helps small IT teams manage shared credentials without creating security gaps.
What You'll Need Before You Start
- A nonprofit status verification document (Form 990, IRS determination letter, or equivalent in your country) — required to claim discounted pricing from most vendors
- An admin email address tied to your organization's domain (not a personal Gmail or Yahoo address)
- A list of your current shared credentials: social media logins, donor database access, email marketing accounts, cloud storage
- A device running Windows 10/11, macOS 12 or later, iOS 16+, or Android 10+ for the initial admin setup
- A browser: Chrome 110+, Firefox 115+, Safari 16+, or Edge 110+
- 2–4 hours for initial setup and user onboarding
Step 1: Verify Your Nonprofit Discount Eligibility
Nonprofit discounts are not automatic — you have to apply separately from the standard signup flow.
For 1Password, go to 1password.com/nonprofits and submit your organization's EIN and a copy of your IRS determination letter. 1Password processes these through TechSoup in the United States, which typically takes 3–5 business days. Once approved, you receive a redemption link that applies the nonprofit rate ($19.95/month for up to 10 users, versus the standard $19.95/month Teams rate — the nonprofit tier removes the per-user overage charges up to 10 seats).
Common gotcha: If your domain email doesn't match your nonprofit's registered name exactly, the application will stall. Use the exact legal entity name from your IRS letter.
For Keeper Security, nonprofits can apply for a 50% discount through TechSoup as well. Standard Keeper Business pricing is $4.00/user/month billed annually with a 5-user minimum; the nonprofit rate brings this to approximately $2.00/user/month. Keeper's TechSoup listing requires a current membership — if yours has lapsed, renew it before applying.
Step 2: Create Your Admin Account and Organization Vault
Once your discount is confirmed:
- Click the redemption link emailed by 1Password and create your account using your organization domain email.
- Set a strong Master Password — minimum 16 characters. 1Password derives vault keys using PBKDF2-SHA256 with 650,000 iterations. Write the Emergency Kit PDF to a physical location (a locked filing cabinet at your office, not a personal Dropbox).
- Navigate to Settings → Vaults → Create New Vault.
- Create at minimum these three vaults:
Operations(admin credentials, banking),Communications(social media, email platforms),Volunteers(credentials volunteers need read access to, such as scheduling tools).
Expected output: Your admin dashboard shows 3 vaults, 0 items, 1 member. The vault icons appear in the left sidebar of the 1Password desktop app.
Common gotcha: Do not use the default "Personal" vault for shared credentials. Personal vaults are not shareable. Only items stored in named organization vaults can be distributed to team members.
Step 3: Configure Multi-Factor Authentication
MFA should be enforced before you invite any users. A single compromised account without MFA can expose every vault that account has access to.
In 1Password admin console: Settings → Security → Two-Factor Authentication → Require for all team members.
1Password supports:
- TOTP (any RFC 6238-compliant app: Authy, Google Authenticator, Microsoft Authenticator)
- WebAuthn / FIDO2 (hardware keys: YubiKey 5 series, Google Titan)
- Duo Security push notifications (Business plan and above)
For most nonprofits, enforcing TOTP is the minimum acceptable baseline. If your organization handles donor payment data or protected health information, require hardware keys for at least the 2–3 admin accounts.
Common gotcha: If a staff member loses access to their TOTP device, admins cannot bypass MFA on their behalf — they must use the account recovery flow. Test this flow before you're in a crisis. Go to Settings → Security → Account Recovery and enable the admin-assisted recovery option.
Step 4: Import Existing Passwords
Collect current credentials from your team before migrating — this is usually the messiest part.
- Ask each staff member to export their browser-saved passwords: Chrome →
chrome://password-manager/passwords→ Download icon. Firefox →about:logins→ three-dot menu → Export Logins. Save as CSV. - In 1Password admin: File → Import → Select format (1Password, CSV, LastPass, Bitwarden, Dashlane, Keeper, RoboForm). 1Password's importer handles all of these natively.
- After import, review the
Watchtowersection (Security → Watchtower) which flags weak passwords, reused passwords, and known breached credentials. Resolve critical flags before completing onboarding.
Expected output: Watchtower dashboard shows a count of vulnerable, reused, and weak passwords. In my experience with a 15-person nonprofit migration, the first scan typically surfaces 30–60 reused passwords — many of them shared department accounts that have never been rotated.
Common gotcha: CSV imports from Chrome do not preserve folder structure. All imported items land in a flat list in 1Password. Manually move them into the correct vaults (Operations, Communications, Volunteers) before inviting users, or you'll spend the next week answering "where did my password go" emails.
Step 5: Invite Staff and Set Vault Permissions
Navigate to People → Invite by Email. Paste a list of staff email addresses (one per line). 1Password sends each person an invitation link valid for 14 days.
Set vault access per role:
- Executive Director / Finance: Full access to Operations and Communications vaults
- Program Staff: Read/write to Communications; read-only to Operations items they need
- Volunteers: Read-only access to a dedicated Volunteers vault containing only the 2–4 credentials they require
Common gotcha: Do not give volunteers admin roles or access to payment credentials. Create a separate Volunteers vault with exactly what they need and nothing else. When a volunteer departs, suspend their account in People → [Name] → Suspend — this immediately revokes access without deleting audit history.
Step 6: Install Browser Extensions and Mobile Apps
Send staff this exact checklist:
- Desktop: Install 1Password for Windows or macOS
- Browser extension: 1Password for Chrome, Firefox, Safari, or Edge (search "1Password" in each browser's extension store — the official publisher is "1Password")
- Mobile: 1Password for iOS (App Store) or Android (Google Play) — requires iOS 16+ or Android 10+
- Biometric unlock: Enable Face ID / Touch ID in Settings → Security → Unlock with Biometrics to reduce friction for daily use
Verification: What a Successful Setup Looks Like
After completing all steps, confirm the following:
- Admin dashboard shows: All invited members with "Active" status (not "Pending")
- Watchtower shows: Zero "Compromised passwords" items
- MFA report shows: 100% of active members have MFA enrolled (check under Reports → MFA Status)
- Vault access audit: Each vault shows only the intended members under Vault → Manage Access
- Test login: Have one non-admin staff member attempt to log into a credential they shouldn't have access to — confirm they receive an "Access Denied" message, not the password
Recommended Tools for Nonprofit Password Management
1Password Teams — Best Overall for Nonprofits
1Password is headquartered in Toronto, Canada, governed under PIPEDA and Canadian federal privacy law, with data stored in AWS infrastructure. It uses AES-256-GCM encryption with PBKDF2-SHA256 (650,000 iterations) and a dual-key model (Master Password + Secret Key) that means 1Password never has enough information to decrypt your vault even if their servers are breached.
Pricing:
- Teams: $19.95/month for up to 10 users, billed annually (nonprofit rate via TechSoup)
- Business: $7.99/user/month billed annually, unlimited users (nonprofit discount negotiable directly)
- Families (for small all-volunteer orgs): $4.99/month for up to 5 members
Platforms: Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Safari, Edge, Brave
MFA: TOTP, WebAuthn/FIDO2, Duo Security push
Audits: SOC 2 Type II (most recent report available on request via their security page)
Honest limitation: 1Password does not have a permanent free tier. If your nonprofit loses its TechSoup verification (e.g., status lapses), you revert to standard pricing without warning.
Try 1Password — best nonprofit discount, dual-key encryption, and volunteer permission controls.
Keeper Security — Best for Larger Nonprofits Needing Compliance Features
Keeper Security is headquartered in Chicago, Illinois, USA, subject to US law. It uses AES-256 encryption with PBKDF2-SHA256 key derivation. Keeper has completed SOC 2 Type II certification and ISO 27001 certification (auditor details available in their Trust Center).
Pricing:
- Business: $4.00/user/month billed annually, 5-user minimum (standard)
- Nonprofit rate via TechSoup: approximately $2.00/user/month for qualifying organizations
- Enterprise (BreachWatch + Advanced Reporting): $5.00/user/month billed annually starting price — contact sales for volume discounts
Platforms: Windows, macOS, Linux, iOS, Android, Chrome, Firefox, Safari, Edge
MFA: TOTP, WebAuthn/FIDO2, YubiKey (hardware), Duo, RSA SecurID, SMS (not recommended)
Honest limitation: Keeper's admin console has a steeper learning curve than 1Password's. For nonprofits with no dedicated IT staff, expect 1–2 hours of additional setup time navigating role enforcement policies.
For organizations operating in healthcare-adjacent roles (community health nonprofits, patient advocacy groups), our Best Password Manager for Healthcare & HIPAA Compliance in 2026 covers Keeper's HIPAA-eligible configuration in detail.
Try Keeper Security — stronger compliance reporting, good choice once you exceed 20 staff accounts.
Dashlane — Best for Nonprofits with No Technical Admin
Dashlane is headquartered in New York, USA. It uses AES-256 encryption with Argon2d key derivation, which is more resistant to GPU-based brute force than PBKDF2. Dashlane completed a SOC 2 Type II audit (reported on their security whitepaper, available at dashlane.com/security).
Pricing:
- Starter: $20/month for up to 10 users, billed annually (no nonprofit discount as of 2026)
- Business: $8.00/user/month billed annually
- Business Plus: $10.00/user/month billed annually
Platforms: Windows, macOS, iOS, Android, Chrome, Firefox, Safari, Edge (no native Linux desktop app)
MFA: TOTP, WebAuthn/FIDO2, passkeys
Honest limitation: Dashlane does not currently offer a verified nonprofit discount program through TechSoup or direct application. At $8.00/user/month for teams larger than 10, it becomes one of the pricier options for budget-constrained nonprofits.
Try Dashlane — Argon2d key derivation and the cleanest onboarding UI of any tool I tested.
If you're evaluating tools across your whole organization, our Best Enterprise Password Manager Review (2026) has side-by-side feature comparisons including Dashlane's admin console.
Troubleshooting
Error: "Invitation link has expired"
1Password invitation links expire after 14 days. Go to People → [Staff Name] → Resend Invitation. If the staff member already clicked the link but didn't finish setup, their account is in "Pending" state — resend works the same way.
Error: "You don't have permission to access this vault"
The user's role was not granted access to the vault in question. Go to Vaults → [Vault Name] → Manage Access and confirm the user appears with at least "Can view" permission. Changes take effect within 60 seconds — no app restart required.
Error: "Master Password incorrect" on first login after migration
During migration, some users confuse their old LastPass or Bitwarden master password with their new 1Password Master Password. The fix: go to my.1password.com → Forgot Master Password → use the Emergency Kit (the PDF generated at account creation) to initiate recovery. If they don't have the Emergency Kit, admin-assisted recovery requires the admin to approve a request under People → [Name] → Account Recovery.
Error: "Two-factor authentication required" blocking a staff member
If a staff member loses their TOTP device and has no backup codes, the admin must temporarily disable MFA enforcement for that specific account: People → [Name] → Edit → Disable MFA requirement. Re-enable it after they set up a new TOTP app. Do not leave this open longer than 24 hours.
Browser extension not autofilling on a specific site
1Password's autofill matches on domain. If a site uses a subdomain (e.g., secure.donorplatform.org) but the saved credential is stored under donorplatform.org, autofill won't trigger. Edit the item in 1Password and add the subdomain as an additional website under Item → Edit → Add Website.
FAQ
Does 1Password offer a free plan for nonprofits?
1Password does not offer a permanent free tier for nonprofits. The nonprofit discount — bringing Teams pricing to $19.95/month for up to 10 users billed annually — requires verification through TechSoup and must be renewed if your TechSoup membership lapses. There is a 14-day free trial available to any organization before committing. For nonprofits that genuinely cannot afford $19.95/month, Bitwarden offers a free Teams tier for up to 2 users and $4.00/user/month for larger teams, though it is not covered in this guide.
What encryption do nonprofit password managers use, and is it strong enough?
All four tools covered here use AES-256 encryption for stored vault data, which is currently considered unbreakable by brute force with available computing resources. The more meaningful differentiator is key derivation: 1Password uses PBKDF2-SHA256 with 650,000 iterations, Keeper uses PBKDF2-SHA256, and Dashlane uses Argon2d — Argon2d offers stronger resistance to GPU-based attacks. For a nonprofit, AES-256 with any of these key derivation methods exceeds what most regulatory frameworks require, including those governing