We’ve seen a lot of password disasters over the years. Accounts compromised because someone reused a password from a data breach. Businesses locked out of systems because the only person who knew the password left the company. Security breaches that started with a weak password on a shared account.
Passwords are still the foundation of most security, but most businesses are doing them wrong. The good news? Fixing password management isn’t complicated and doesn’t have to be expensive.
Here’s what actually works, based on what we’ve seen help businesses improve their security without driving their employees mad.
What Makes a Password Actually Strong?
Forget everything you’ve heard about passwords needing special characters and numbers in specific patterns. Modern password advice is simpler: make it long, make it random, and make it unique.
A strong password should be at least 12 characters, but longer is better. Think 16 or even 20 characters. And it should be random, not a word from the dictionary, not your pet’s name, not your company name with a number at the end. Truly random.
Why? Because attackers use dictionaries and common patterns. “Password123!” looks complex, but it’s actually easy to crack because it follows predictable patterns. “xK9#mP2$vL8@qR4!” is much harder to crack, even though it’s the same length.
But nobody can remember truly random 16-character passwords. And you need different ones for every account. That’s where password managers come in.
Password Managers: The Game Changer
We recommend password managers to every business we work with. They solve the fundamental problem: you can’t remember dozens of strong, unique passwords, but you need them anyway.
How they work: you install a password manager (like Bitwarden, 1Password, or LastPass), which stores all your passwords in an encrypted vault. You only need to remember one master password to unlock the vault. The password manager generates strong, random passwords for all your accounts and fills them in automatically when you log in.
Most password managers work across devices: your computer, phone, tablet. They sync through the cloud (encrypted, of course), so your passwords are available wherever you need them.
The business versions let you share passwords securely with team members. Need to share access to a service account? Share it through the password manager. When someone leaves, you can revoke their access instantly. No more “who has the password?” conversations.
Cost? Many have free versions for personal use, and business plans usually start around £3-5 per user per month. That’s cheap compared to the cost of a security breach.
Multi-Factor Authentication: Your Safety Net
Even with strong passwords, you should enable multi-factor authentication (MFA) on important accounts. MFA requires a second form of verification beyond your password, usually a code from your phone or an app.
Why it matters: if someone gets your password (through a data breach, phishing, or whatever), they still can’t get in without your phone. It’s like having a deadbolt in addition to your front door lock.
Enable MFA on everything important: email accounts, cloud services, banking, customer management systems, anything with sensitive data. Most services offer it for free these days, and it takes about two minutes to set up.
We know it’s annoying to have to grab your phone every time you log in. But the slight inconvenience is worth the security. Most services let you “remember this device” so you don’t have to do it every single time.
When to Change Passwords (And When Not To)
Old advice said to change passwords every 90 days. New advice says that’s actually counterproductive. It leads people to use weaker passwords or write them down because they can’t remember new ones every three months.
Instead, change passwords when:
- You know or suspect a password has been compromised
- An employee who had access leaves the company
- There’s been a security incident
- A service you use has had a data breach (check haveibeenpwned.com to see if your email has been in any breaches)
For critical accounts (like admin accounts or financial systems), consider changing passwords annually as a precaution. But for most accounts, if the password is strong and unique and you have MFA enabled, you don’t need to change it regularly.
Creating a Password Policy That Works
You need a written password policy. Not because it’s fun (it’s not), but because it sets clear expectations and prevents arguments later.
Your policy should cover:
- Password requirements (length, complexity, though with a password manager this is less important)
- When passwords must be changed
- How passwords should be shared (through a password manager, never via email or chat)
- What to do if a password is compromised
- Requirements for MFA on certain accounts
Keep it simple and practical. A policy that’s too strict will be ignored. A policy that’s too vague won’t help. Find the middle ground that actually works for your business.
And make sure everyone knows about it. Don’t just email it once and forget it. Mention it in team meetings, include it in onboarding for new employees, and reference it when security issues come up.
Common Mistakes to Avoid
We’ve seen businesses make the same mistakes over and over. Here’s what to avoid:
Sharing passwords via email or chat. Email isn’t secure, and chat messages can be saved or forwarded. Use a password manager for sharing, or if you must share temporarily, do it over the phone and change the password immediately after.
Writing passwords on sticky notes. We know it’s convenient. But sticky notes get lost, photographed, or seen by the wrong people. If you must write something down, keep it in a locked drawer, and use it as a reminder to check your password manager, not as the actual password.
Reusing passwords. This is the big one. If you use the same password everywhere, and one service gets breached, attackers have access to everything. Every account needs a unique password. This is why password managers are so valuable. They make it easy to have unique passwords without the mental overhead.
Storing passwords in unencrypted files. A spreadsheet called “passwords.xlsx” on your desktop is not secure. Neither is a Word document. If you’re going to store passwords digitally, use a proper password manager with encryption.
Getting Your Team On Board
Password management only works if everyone does it. Getting buy-in from your team is crucial.
Start by explaining why it matters. Not in scary terms, but in practical ones. “If our email gets compromised, we could lose access to customer communications. Strong passwords and MFA prevent that.”
Make it easy. Provide a password manager for the business, train people on how to use it, and be available to help when they have questions. The easier you make it, the more likely people are to actually do it.
Lead by example. If you’re using weak passwords or skipping MFA, your team will too. Show that you’re taking it seriously, and they’ll follow.
Making It Happen
Good password management isn’t complicated, but it does require some setup and ongoing attention. You need to choose a password manager, set it up for your team, create policies, and make sure everyone actually uses it.
If you’re not sure where to start, or if you want help implementing password management across your business, get in touch. We’ve helped businesses set up password management systems that actually work and can help you too.