Compromised passwords are the entry point for a remarkable proportion of cyber incidents. Credential stuffing attacks — where criminals test vast lists of username and password combinations harvested from unrelated breaches against your business services — succeed because people reuse passwords. Brute-force attacks succeed because people choose predictable ones. Phishing succeeds partly because people use the same password on the fake site as on the real one.
The password problem is well understood. The practical challenge is that the traditional advice — use a long, complex, unique password for every account — is simply not humanly achievable without a tool to manage it. That tool is a password manager, and this post covers how to choose one, how to deploy it, and what a robust password policy looks like for a small business.
What Makes a Password Strong?
Password strength is primarily a function of length and unpredictability. Modern guidance from the National Cyber Security Centre (NCSC) has moved away from complex character requirements — mandating a mix of uppercase, lowercase, numbers, and symbols — towards emphasising length and avoiding predictable patterns.
The NCSC's current recommendation for passwords that don't benefit from MFA is a minimum of 12 characters, ideally longer. Passphrases — three or four random words combined — are both highly secure and considerably more memorable than a string of random characters: "correct-horse-battery-staple" is harder to crack than "P@ssw0rd!" and significantly easier to remember.
What genuinely weakens passwords:
- Reuse. Using the same password on multiple accounts means a breach of one account exposes all of them. This is the single most significant password security failing in most organisations.
- Predictability. Passwords based on the company name, the current year, the user's name, or simple keyboard patterns ("qwerty", "123456") are tested first by automated attacks because they appear disproportionately frequently in breach databases.
- Regular forced rotation without cause. Mandating password changes every 90 days, in the absence of a specific reason to change, leads to predictable incremental changes (Password1 → Password2 → Password3) that are no more secure than not changing at all. The NCSC now recommends changing passwords only when there is specific reason to believe they may have been compromised.
Why You Need a Password Manager
A password manager is software that generates, stores, and auto-fills strong, unique passwords for every account. The user needs to remember only one master password — the password manager handles everything else. For most people and most organisations, the adoption of a password manager is the single most impactful credential security improvement available.
Without a password manager, staff face an impossible choice: memorise different complex passwords for dozens of accounts, or reuse the same password across many accounts. Almost everyone, in practice, does the latter. A password manager removes this trade-off entirely: every account gets a genuinely unique, cryptographically random password, and the user never needs to know what most of them are.
The secondary benefit is visibility: a password manager shows users when they have reused a password, when a password is weak, and — in most business-grade products — when a password has appeared in a known breach database. This provides a clear, actionable view of credential hygiene without requiring manual auditing.
Choosing a Password Manager for Your Business
For a small business, the key considerations when choosing a password manager are:
- Business features: The ability to manage users centrally, onboard and offboard staff, and share specific passwords between team members without sharing the master password. Consumer products typically don't provide this.
- Cross-platform support: It needs to work on every device and browser your staff use — Windows, macOS, iOS, Android, Chrome, Firefox, Edge.
- Security model: Reputable business password managers use zero-knowledge encryption — the vendor cannot see your passwords, and a breach of their servers does not expose your credentials.
- Emergency access: What happens if the administrator loses access? Business products typically provide account recovery mechanisms that consumer products don't.
Well-regarded business password managers include 1Password Teams, Bitwarden Teams (open source and highly audited), and Dashlane Business. Pricing is typically in the range of £4–8 per user per month — a modest cost against the risk it mitigates.
Rolling Out a Password Manager Across Your Business
A password manager rollout fails if it feels like an imposition. Staff who don't understand why they're being asked to change their habits won't use it consistently — they'll save passwords in their browser instead, or keep a spreadsheet. Communicate the reason clearly: this tool makes their lives easier, not harder, once they've invested the initial setup time.
The practical rollout: choose a product, sign up for a business account, and invite staff. Ask each person to install the browser extension and mobile app, and to import any passwords their browser has already saved. Set a date — typically two weeks from rollout — by which all accounts should be saved to the password manager and any reused passwords changed.
Prioritise the high-value accounts first: email, VPN, cloud services, banking, and any system holding client or personal data. Once the habit is established, staff will naturally use the password manager for new accounts going forward.
Administrator and Shared Accounts
Two password scenarios warrant specific attention. Administrator accounts — those with elevated privileges over your IT infrastructure — should have longer, more complex passwords than standard accounts, and should never share passwords with any other account the administrator uses. The password manager makes this straightforward.
Shared accounts — where multiple people use the same username and password for a service — should be eliminated where possible. Individual accounts provide accountability: you can see who did what, and you can revoke access for one person without affecting others. Where shared accounts are genuinely unavoidable, store the shared credentials in the password manager's shared vault rather than circulating them by email or messaging.
Further Reading
Credentials in the Dark Web. Monitoring That Catches Them.
Even with strong, unique passwords and a password manager, credentials can be compromised through phishing or service breaches. SOC in a Box includes continuous dark web monitoring for your domain and staff credentials — alerting your named analyst the moment a credential associated with your organisation appears in a criminal marketplace or breach database.
Book a scoping call