Every engagement reaches a moment where I have to give the password talk. I can usually tell it is coming because someone, trying to be helpful, mentions the spreadsheet. The one with all the logins in it. Or the sticky note under the keyboard. Or the fact that the whole office uses the same password for the shared accounts, and it is the company name with an exclamation point.
I am not going to lecture you about uppercase letters and special characters. That advice is mostly out of date anyway. I want to tell you the one thing that actually matters, and the one tool that makes it painless.
The real problem is reuse, not weakness
Here is how most small business accounts actually get broken into. Some unrelated company you signed up with years ago gets breached, and your email and password end up on a list that gets traded around. Attackers take that list and try the same email and password against everything: your Microsoft 365, your bank, your payroll. If you reused that password, they are in. They did not crack anything. They just tried a key you already gave away.
This is why a “strong” password you use in ten places is weaker than a random one you use once. The strength of the password barely matters if it has leaked somewhere else. What matters is that every account has its own, so one leak stays contained to one account.
Nobody can do this in their head
The honest reason people reuse passwords is that the alternative is impossible. No human can remember sixty unique random passwords. So they cope: they reuse, they write them down, they keep the spreadsheet. Every one of those coping strategies is the actual vulnerability.
The fix is to stop asking people to do an impossible thing. A password manager remembers the passwords so your team does not have to. They remember one strong passphrase, the manager handles the rest, and it fills logins in automatically. It is genuinely less work than what most offices do now, which is the part people do not believe until they try it for a week.
What to actually do
- Pick a reputable password manager with a business plan, so you can share specific logins with specific people and pull access instantly when someone leaves.
- Get rid of the shared-password accounts. Give people their own logins where you can. Where you genuinely must share, share it through the manager, never over text or a spreadsheet.
- Turn on multi-factor authentication on the accounts that matter most, especially email. A password manager and MFA together make stolen passwords nearly useless.
- Use a long passphrase for the one password you still memorize. Four or five random words beat a short string of symbols, and you can actually remember it.
The week that changes their mind
The pushback is always the same: this sounds like more work. So I ask for one week. By day three, people stop typing passwords at all, the logins just fill themselves, and the spreadsheet starts to look insane in hindsight. By the end of the week nobody wants to go back.
You do not need to be a security expert to close the most common door attackers walk through. You need to stop reusing passwords, and you need a tool that makes that realistic for actual humans. That is the whole talk. Now go find the spreadsheet and put it out of its misery.
Further reading
- From Resolute Security: Why Your Team Fights MFA
- From Resolute Security: We’re Too Small to Be a Target
- From Resolute Security: The $48,000 Email: How Wire Fraud Actually Happens
- CISA Secure Our World: passwords and MFA
- NIST Cybersecurity Framework
- Not sure where you stand? Take the free 10-minute cyber readiness assessment.