Password security is one of those topics that feels like common sense until you actually look at how people — including smart, careful business owners — handle their passwords in practice. The reality is that most small businesses are one compromised password away from a serious incident.
Here's what the risks actually look like, and what to do about them.
The Problem With How Most People Handle Passwords
Reusing passwords. Using the same password across multiple accounts is the single most dangerous password habit. When any service you use gets breached — and breaches happen constantly, to companies large and small — attackers immediately test those stolen credentials against other services. This is called credential stuffing. If you use the same password for a breached forum and your hosting account, your website is now at risk.
Weak passwords. "Password123," your business name followed by the year, your pet's name — these are guessed by automated tools in seconds. A modern password-cracking setup can test billions of combinations per second.
Sharing passwords over email or text. If you've ever sent a password in a text message or email, that password now exists in multiple places you don't control, on devices you don't own, potentially in cloud backups you'll never see.
Not knowing who has access. Former employees, old contractors, freelancers from three years ago — if you never changed your passwords after they moved on, they may still have access to your systems.
What a Password Manager Changes
A password manager is software that generates and stores strong, unique passwords for every account you have. You remember one master password. The manager handles everything else.
This solves the two biggest problems simultaneously: you get strong passwords (because the manager generates them, not you) and unique passwords (because the manager stores them, so you don't need to remember them). Popular options include 1Password, Bitwarden, and Dashlane. Most work across all your devices.
Using a password manager is the single highest-impact change most small business owners can make to their security posture.
Two-Factor Authentication
Two-factor authentication (2FA) means that logging in requires something you know (your password) plus something you have (usually your phone). Even if an attacker steals your password, they can't get in without also having your phone.
Enable 2FA on every account that supports it. Start with the most critical ones: your hosting account, your domain registrar, your email, your website's admin panel, and your bank. Most of these support 2FA using an app like Google Authenticator or Authy.
Practical Steps This Week
- Sign up for a password manager and start migrating your accounts to unique, generated passwords.
- Enable two-factor authentication on your hosting account and email immediately — these are the highest-value targets.
- Change any passwords that have been shared with people who no longer need access.
- Check whether your email has appeared in a known data breach at haveibeenpwned.com — it's free and takes 30 seconds.
- Make sure your website's admin password isn't something you've used anywhere else.
A Note on Your Website Specifically
Your website's admin login is a particular target. Bots run automated attacks against login pages constantly, trying thousands of username and password combinations. A strong, unique password combined with 2FA makes these attacks essentially useless. A weak, reused password makes them eventually inevitable.
If you'd like help reviewing your website's login security or setting up two-factor authentication on your site, we can help.