[ws66]

Shared passwords should always be an exception. Prefer SSO. However the exception will always exist, in which case:

Some suggest using KeePass or equivalent, but I advise against it - too easy to copy and leave with the vault and very difficult to audit.

Find a solution that audits who had access to such password. And do your audits!

Consider rotating your shared passwords frequently, especially any high privileged ones.

If your risks warrant it, check for a PAM (privileged access manager) that acts as a middlemen and fully hides the password.

I realize I am not really answering your questions, so I'll stop here. But... SSO and proper directory management!