The Best Password Practices for Small and Medium-Sized Businesses

Data breaches are only increasing in number as 2021 continues, says the Identity Theft Resource Center. If your small or medium-sized business hasn’t recently evaluated your password practices, now is as good a time as any to do so. What are some password management tips for SMBs?

Here are 9 password best practices small and medium-sized businesses should use:

 • Don’t reuse passwords across accounts

• Try a password manager

• Make 16-character passwords

• Avoid the same keyboard strings everyone else uses

 • Utilize multi-factor authentication

• Change your password every three months

• Encrypt your passwords

• Use master passwords for your Internet browser

• If storing password data on your computer, make it hard to decipher 

As a small or medium-sized business, a data breach can be catastrophic and sometimes impossible to bounce back from if customer trust erodes that badly. The password best practices we’re about to discuss can safeguard your SMB from password theft moving forward.

Don’t Reuse Passwords Across Accounts

In today’s ultra-busy times, we have enough we’re juggling on our plates all at once. You have work deadlines to meet, your kids’ soccer practice to drop them off to (and pick them up from), and a variety of tasks to do around the house. 

You don’t want to have to dedicate more time thinking about your passwords than necessary, so yes, you reuse your email password to log into your work programs. That password just so happens to be your Netflix password, your Amazon password, and your bank account password as well.

We talked about this on the blog recently, but using the same password across all your accounts is hugely detrimental. 

Let’s say a hacker broke into your work network and cracked all the passwords there. 

What hackers then do is take your login and password information and try it elsewhere. Once they realize they can also get into your Amazon account or email account, the hacker will go for broke and try to log into different banks. 

Now you’re dealing with double the trouble. Not only has your company’s network been breached, but personally, your life could be in ruins.

Although it’s not as quick and easy to log in, it’s worth it to create unique passwords for each service you use. When we say unique, by the way, we don’t mean variations of the same password, but completely original passwords from one account to another. 

Try a Password Manager

One reason that people are reluctant to use different passwords for each account is that they wonder how they’ll possibly remember everything. This is exactly why password managers exist. 

You can try services like Dashlane or LastPass, which are two of the most renowned password helper services. Dashlane is downloadable on Android, iOS, Windows, and macOS devices, including computers. 

You’d sign up for a subscription to use their freemium service. Freemium means the service is free if you want basic features but does require recurrent payment if you desire the max amount of password protection that Dashlane can offer.

LastPass is a web browser extension that stores and encrypts passwords as you input them online. This service also uses a freemium pricing model.

Of course, Dashlane and LastPass are two password helpers of many. Your SMB can stick with a free password manager if funds are especially tight, but we do recommend paying for a password manager eventually if you can. You’ll have a greater degree of support. 

Make 16-Character Passwords

Some people assume that if you make your password as complex as possible that there’s no way anyone can crack it. That’s simply not true. A short but complex password is easy enough for savvy hackers to figure out.

That’s why it’s recommended you use all 16 characters that are available for your password. 

Business owners sometimes refrain from requiring 16-character passwords for employees. They assume their employees will forget the password all the time, which will hog up the precious time of the IT team, as they have to reissue passwords. There’s also a concern that long passwords will slow down login times.

Some who have made the switch to longer passwords find them easier to remember than some complex phrase or string of uppercase and lowercase numbers and letters. If you switch your perception of your long password to more of a passphrase, it can stick in your head more readily.

Besides, if you forget your password, you don’t necessarily have to call your IT person. You have a password manager. 

We say it’s worth it now in the early days of your SMB to use a 16-character password. The time you’ll spend training your staff on their password requirements is better than the thousands of dollars (or hundreds of thousands) you could have to shell out after a data breach. 

Avoid the Same Keyboard Strings Everyone Else Uses

Complexity in passwords is fine, and we want to stress that. When used in conjunction with a 16-character password, now you have a passcode that’s a lot more difficult to crack. 

You do want to be sure though that your SMB staff defines complex the same way. If someone’s definition of complex passwords is using basic keyword strings such as Asdf or Qwerty, the password is at risk of being hacked. 

Those keyword strings are so easily guessed that one of your coworkers might be able to crack the password without any malicious intent. 

Complex passwords though shouldn’t be so random that they have no meaning to you. For instance, A%FgB$3!uXp is a strong password, but it’s also keyword vomit. 

KnowBe4, a security awareness training resource, has a really good tip for making complex passwords that make sense to you but no one else. They recommend taking a line from a quote, a song lyric, a movie, or a poem you like, and the more obscure the better. 

For instance, let’s say you like the phrase “I Want to Put a Dent in the Universe.” You can then break that down into a usable password. How? Well, first, boil the words down to just their initials, IWTPADITU. Then alternate the capitalization of each letter, then randomize the capitalization even further. Throw in a number too.

Now your password would look something like iWtpAD1tU. It’s a good start, but it can be better. Add numbers and special characters until the password is 16 characters long.

Here’s another example. Let’s say you used the phrase “It’s raining cats and dogs.” It’s not the best phrase for a password since it’s very well-known, but you can morph it so it’s almost unrecognizable.

Try the same method as above and you might come up with something like 1tsrAlnNGcts$DGS! If you look at it closely, it says “It’s raining cats and dogs.” If that seems too obvious to you even still, then add more characters. 

Utilize Multi-Factor Authentication

We just wrote a great post on multi-factor authentication that you should check out if you missed it. As a recap, multi-factor authentication is a step up from two-factor authentication because it uses at least three factors. Four factors are becoming the new norm.

The three current factors include inherence (which is something you are), possession (which is something you have), and knowledge (which is something you know). 

For instance, multi-factor authentication using inherence includes voice and facial recognition, like how you might have to unlock your smartphone all the time. Possession factors include network security tokens and knowledge factors entail secret question responses. 

Multi-factor authentication does make it more time-consuming to register or log in to an account, but it’s better than two-factor authentication because it adds more layers of protection. That’s not to say that multi-factor authentication is uncrackable, but it’s certainly harder to break through than two-factor authentication is.  

Change Your Password Every Three Months

Once you find your ideal password, don’t get too attached to it. Why’s that? After three months, whether that’s daily use or more inconsistent, you’re supposed to recycle your password for a new one. 

Why three months? Although data breaches are common and becoming more so all the time, it’s not always obvious when they occur. If a hacker or cybercriminal came into possession of one or more passwords within your SMB, by changing your password every three months, you know at least that the damage that can be done is minimal.

Sure, that isn’t the case if the hacker works quickly, but if they sit on your password or only breach one account but not all, then you can get by relatively unscathed. 

Encrypt Your Passwords

Encryption takes data from plain text and makes it much harder to decipher unless and until you decide to decrypt it. 

You have four password encryption methods to use: salting, hashing, public keys, and symmetric keys. Let’s talk about these options now.

• Symmetric keys: The symmetric key starts the encryption process and can decrypt as well. 

• Salting: Salting is an encryption process in which letters and/or numbers are added both to the start and end of the password. 

• Hashing: Next, the password is hashed. This means a computer algorithm garbles the password until it’s a string of letters and numbers that does not resemble the original. If a cybercriminal can’t determine which algorithm hashed the password, they can’t crack it.

 • Public keys: Public keys allow for password encryption on a broad level while private keys limit who can decrypt the password data. 

Use Master Passwords for Your Internet Browser

Does your Internet browser volunteer to remember your passwords every time you log in to online services? If you don’t use a master password, such as through Firefox, then anyone who can log onto your work computer can find your stored passwords through the Internet browser. 

In Firefox, you can turn on master passwords by going into Options, then selecting Show Passwords. Make sure the box that reads Use Master Password is checked.

Now, whenever you go on the Internet using Firefox and one of your stored passwords comes into use, you’ll be prompted to type in the master password.

Internet browsers such as Internet Explorer do have a variation of the master password function that Firefox offers, but not allbrowsers do. For example, Google Chrome does not use master passwords. 

If Storing Password Data on Your Computer, Make it Hard to Decipher 

Those who don’t trust their Internet browsers or password managers to hold onto their passwords might use their own personal password management system. For some SMB employees, this system might be nothing more than writing down the password on a piece of paper.

Although some business owners worry that the password could be discovered if the office was ever ransacked, that’s a long shot. The person who breaks into your office would have to find the piece of paper, take the time to scan it, and then understand that what they’re looking at is a password.

Even though pen and paper password storage is relatively low-risk, many more people would rather store their password data in a document on their computer. They assume that by hiding the document in folder after folder that a hacker could never find it.

That’s untrue, though. Rather than bury the password document six ways to Sunday, change its contents.

Don’t put “Outlook password: [password]” in the file. Instead, use terms that only make sense to you. 

Could a savvy cybercriminal read between the lines? Yes, but doing so would require more effort, so it’s not as likely.  


Small and medium-sized businesses should bulk up their password safety practices now to avoid breaches, which are only becoming more common as the 2020s get underway. We hope the guidance in this article helps your office secure its passwords so your data is harder to steal.

Similar Posts