← Blog
Password Security for Small Businesses: The Practical Guide
Small businesses get attacked more often than large companies, not less. The assumption that attackers go after big targets is wrong in practice. Large companies have dedicated security teams, enforced policies, intrusion detection systems, and incident response playbooks. A ten-person agency or a solo consultant has none of that, which makes them far easier to compromise. The return on effort for an attacker is better with smaller targets precisely because the defences are weaker and more predictable.
## How Most Small Business Breaches Actually Happen
Most small business cybersecurity failures are not the result of sophisticated attacks. They come from reused passwords, passwords that haven't been changed after an employee left, and credentials that were captured in a data breach years ago and are still in active use. Attackers know this. They buy breach databases for a few pounds, run automated tools that test those leaked credentials across hundreds of services simultaneously - a technique called credential stuffing - and wait for something to open. If your email password was leaked in a breach three years ago and you're still using it, there's a reasonable chance someone has already tried it against your banking portal, your cloud storage, and your client portal.
The other common attack is brute force: trying password combinations at high speed until one works. This sounds like it would take forever, but a password like "winter2024!" or "Company#1" can be cracked in seconds by tools that use dictionaries of common patterns and known substitutions. Length matters more than complexity. A password made of four random unrelated words is harder to crack than a shorter one with symbols and numbers, because length exponentially increases the number of combinations an attacker has to try, while predictable substitutions (an "@" for an "a", a "3" for an "e") are already built into cracking tools. A truly strong password is long, random, and not based on anything guessable about you, your business, or a common pattern.
## Generating Truly Random Passwords
Randomness is the piece that people consistently get wrong when they try to create their own passwords. Humans are bad at generating entropy. We reach for familiar words, dates, names, or keyboard patterns because those are easy to remember. The only reliable way to generate a random password is to let software do it. A good Password Generator uses your browser's built-in cryptographic API to produce passwords that have genuine randomness - not pseudo-random patterns that follow predictable distributions. The generation happens in-browser, so the password is never sent to a server, never logged, never seen by anyone except you.
The reason password managers are the only scalable solution is simple: you cannot memorise dozens of strong, unique, long passwords. You can memorise one strong master password. A password manager stores everything else, generates new credentials for each service, and autofills them so you never have to type them. If one service gets breached, the damage is contained to that service because the passwords are unique. This is the most impactful single change most small businesses can make to their security posture.
## Prioritising Your Most Critical Accounts
Not all accounts carry equal risk. The accounts worth protecting most aggressively are the ones that unlock everything else or hold the most sensitive data. Your primary email account is the master key to your entire online presence - most services reset passwords by sending a link to your email, which means whoever controls your inbox controls everything. Business banking and payment platforms have obvious financial exposure. Cloud storage accounts often hold client contracts, financial records, and confidential documents. Client portals and project management tools contain work that isn't yours to lose. These accounts should all have unique, strong passwords and, crucially, two-factor authentication enabled.
Two-factor authentication is the second layer that makes a compromised password much less useful. Even if an attacker has your correct password, they still need the second factor - typically a time-based code from an authenticator app on your phone - to get in. Enable it on every account that supports it, and prefer an authenticator app over SMS codes. SMS can be intercepted through SIM-swapping attacks; an authenticator app cannot.
## What to Do When a Password Is Compromised
If you discover that a password has been compromised - whether through a breach notification, a suspicious login alert, or a gut feeling - act immediately. Change the password on the affected account. Change it on any other account where you used the same password. Check recent activity on the account for any actions you didn't take. If it's your email or a financial account, notify relevant parties. Run your email address through a breach-checking service to see what other credentials may have been exposed in the same breach. Document what happened and what you changed. The window between a credential being compromised and it being actively used can be short.
## Team Accounts and Offboarding
Teams create additional complexity that solo operators don't face. Shared accounts - a single login used by multiple people - are a persistent problem in small businesses because they're convenient. The problem is accountability: if something goes wrong, there's no way to know who did it, and when someone leaves the company, you have no clean way to revoke their access. Individual accounts for every team member, with access permissions scoped to what each person actually needs, is the right structure even if it feels like overhead. Offboarding should include a checklist: disable accounts, rotate shared credentials, and revoke access to cloud services, client portals, and any tools that were shared. This is often skipped in the scramble of a departure and becomes a dormant liability.
The longer arc of authentication is moving away from passwords entirely. Passkeys - a standard now supported by most major platforms and browsers - replace the password with a cryptographic key pair stored on your device, authenticated by biometrics or a PIN. You don't type a password; you authenticate with your face, fingerprint, or device PIN, and the underlying cryptographic handshake happens invisibly. Passkeys can't be phished, can't be stuffed, and can't appear in breach databases because there's nothing to breach on the server side. They're not universal yet, but adoption is accelerating. For services that offer passkeys, switching is worth the few minutes it takes.
Until passkeys are everywhere, the practical formula is: unique strong passwords generated by a tool like the Password Generator, stored in a password manager, with two-factor authentication on the accounts that matter most. Keep sensitive documents - contracts, signed agreements, financial records - processed locally using browser-based tools like Digital Signature and PDF Compressor, so client data doesn't travel to third-party servers unnecessarily. Password security is the foundation, but it sits inside a larger posture of keeping your data where you can control it.
← More articles | Free SMB Tools