The Password Problem in Small Businesses
Here is a scenario that plays out every day: an employee at a 15-person company reuses their personal email password for their work VPN. That password was exposed in a data breach two years ago. An attacker finds it in a leaked database, tries it against the company VPN, and gains access to the entire network.
This is not a hypothetical — it is the most common way small businesses get breached. According to Verizon's Data Breach Investigations Report, 80% of hacking-related breaches involve compromised credentials. And in small businesses, the problem is usually passwords that are weak, reused, or shared.
Rule 1: Use a Password Manager
The single most impactful change a small business can make is adopting a password manager for every employee. Tools like 1Password Business, Bitwarden, and Keeper generate unique, complex passwords for every account and store them securely. Employees only need to remember one master password.
Why this works: it eliminates password reuse entirely. If one service gets breached, the compromised password does not work anywhere else because every password is unique.
Implementation tip: set up the password manager for the whole team, create shared vaults for company accounts (billing, social media, vendor portals), and make it policy that all work passwords must be stored in the manager — not in browsers, not in spreadsheets, not on sticky notes.
Rule 2: Require Multi-Factor Authentication
Passwords alone are not enough. Multi-factor authentication (MFA) adds a second verification step — usually a code from an authenticator app or a push notification — that makes stolen passwords useless.
MFA should be mandatory on:
- Email (this is the highest priority — email access lets attackers reset passwords on every other service)
- VPN and remote access
- Cloud storage and file sharing
- Financial and billing systems
- Any admin console or dashboard
Avoid SMS-based MFA when possible — it is vulnerable to SIM-swapping attacks. Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) are more secure and just as easy to use.
Rule 3: Set a Sensible Password Policy
Many small businesses either have no password policy or have an overly complex one that employees work around. A good policy balances security with usability:
- Minimum 12 characters — Length matters more than complexity. "correct-horse-battery-staple" is stronger than "X7#kQ2!"
- No forced rotations — NIST guidelines now recommend against forcing password changes every 30, 60, or 90 days. It leads to weak passwords like "Spring2026!" that are easily guessed.
- Check against breach databases — Password managers can warn employees if a password has appeared in a known breach.
- Block common passwords — The top passwords in small businesses are "Password123," "Company2026," and "Welcome1." Block these and similar patterns.
Rule 4: Never Share Passwords Over Email or Chat
This is one of the most common bad habits in small teams. Someone needs access to a vendor portal, so a colleague emails them the username and password. That email lives in both inboxes, potentially on both phones, and in the email provider's logs — forever.
Instead, use your password manager's shared vault feature. Grant access without revealing the actual password. If you must share a credential temporarily, change it immediately after use.
Rule 5: Offboard Properly
When an employee leaves, their access needs to be revoked immediately. This means:
- Disabling their VPN, email, and application accounts
- Changing any shared passwords they had access to
- Revoking their password manager access
- Removing their device from MDM enrollment
At NetrixIT, we include endpoint offboarding as part of our standard support. When a client tells us someone is leaving, we disable every account within minutes and update all shared credentials.
Start With a Password Audit
If you are not sure where your business stands, start with a password audit. Check for reused passwords, accounts without MFA, and credentials stored in insecure locations. NetrixIT can help — our network security assessment includes a credential exposure review. Contact us to schedule one.