If it is a website that you are unable to add multiple users to an organization with, LastPass has a password sharing feature that doesn't directly expose the password with people you share it with. Although if someone cares enough, they will be able to find it.
Any time an employee leaves a company, all shared passwords should be reset. It doesn't matter if it was an amicable departure or not.
Here's an album with some screenshots from last year: http://imgur.com/a/ekoO2
Secrets: In a closed office, verbally.
"Passwords? No. We don't. Everything is a certificate or key."
"We have sets of accounts ... accessible to anyone who knows the well-known standard passphrase."
edit: video demo https://www.youtube.com/watch?v=CITq80gf6Hk
But I've also come across dozens of unprotected .xlsx and .txt files stored on group shares which give me shivers every time I see it.
Currently we use ssh keys to limit access to servers and code repositories so the perfect solution would allow passwords and such to be protected by similar means.
I believe gpg has a solution but I have not implemented it myself yet.
Price is right, though.
Passwords are designed to be human-interface memorized authentication tokens. Sharing it any other way than via human interaction just makes it a digital key, and real digital keys are much more secure than digital passwords. So share it via human medium, or rethink why you're using a password.
For passwords that can absolutely not be made user-specific, we use SimpleSafe (https://www.simplesafe.net/). It allows you to make groups of passwords and assign rights to those passwords, and has decent logging. It's web based and works ok on mobile.
These few passwords are for network devices, passwords for websites where only one account can be made, or master/root/administrator passwords that we don't use but need to write down somewhere just in case.
These are the keys to the kingdom, so it should be behind VPN/SSH, ideally completely isolated from your regular infrastructure, and with tested backup procedures.
1. Open source tool, you can run internally in your company. https://github.com/saravanacp/secureshareme
2. Very secure: it encrypts the data in the browser and the key is stored in the URL anchortag which is not sent to server at any point of time. Only the sender and the receiver has access to the keys.
3. You can also opt to send a secondary verification code to receiver's mobile for two layers of security.
4. Option to self distruct message based on time or if an attack is detected.
Most of the external accounts (log analysis, analytics, CDN, etc) have individual accounts, no sharing necessary, up to the individual to maintain complexity and remember the password.
For other services, certificates and multiple authentication methods (2FA) works out nicely.
But as you say, it's better not to have the secret at all.
That being said, we use personal accounts for all external services. All personal passwords are stored in 1Password.
(I'm one of the developers. It's a commercial SaaS service.)
Personally I use 1Password for storing passwords and it allows sharing vaults between users so as my team grows we might actually consider using these.
Cheap, effective and good security track record.