We do a lot of IT assessments. And in almost every single one, we find the same thing: passwords being reused across accounts, or stored in a spreadsheet someone made in 2017, or — our personal favorite — written on a sticky note on the underside of a keyboard. (People always think we won't check. We always check.)
Password hygiene is boring to talk about. It's also one of the most consistently exploited weaknesses in small and mid-sized businesses. Attackers know that people are lazy with passwords, and they count on it.
Why "I Remember All My Passwords" Is a Red Flag
If you can remember all your passwords, it means one of three things:
- You have very few accounts (unlikely)
- You're using simple, predictable passwords
- You're reusing the same password — or small variations of it — across multiple sites
Option 3 is by far the most common. And it's what makes credential stuffing attacks so effective.
Here's how a credential stuffing attack works: attackers buy or steal a database of username/password pairs from a breached website — say, a fitness app or an old forum. Those credentials get run through automated tools against hundreds of other services: Office 365, banking portals, corporate VPNs. If you used the same password on LinkedIn in 2012 that you use for your email today, you have a problem. A problem that probably already played out and you just don't know it yet.
According to the Verizon Data Breach Investigations Report, compromised credentials are involved in over 80% of hacking-related breaches. Not because attackers are sophisticated. Because password reuse is everywhere.[1]
The Password Problem Businesses Actually Have
Individual password hygiene is one thing. Business password hygiene is a different beast entirely.
In a business environment, you have:
- Shared accounts (the generic "admin" login that three people know)
- Vendor portals with credentials that nobody's changed since the original setup
- Former employees whose access was never fully revoked
- People using personal email addresses on work systems
- Passwords emailed back and forth in plaintext
Every one of those is an open door. And attackers are very good at finding open doors.
What a Password Manager Actually Does
A password manager generates long, random, unique passwords for every account — something like kX9#mPqL2!nRvT7w — and stores them in an encrypted vault. You remember one master password. The manager handles the rest.
The practical result: every account your business has gets a completely unique, unguessable password. If one service gets breached, your other accounts aren't at risk. Credential stuffing doesn't work because there's nothing to stuff.
For teams, enterprise password managers also let you:
- Share credentials securely without emailing them
- Revoke access instantly when someone leaves
- Audit who has access to what
- Set policies (password length, rotation requirements)
- Detect when passwords show up in breach databases
According to NordPass's annual corporate password study, the most common passwords used in business environments still include variations of the company name, the year, and the word "password." This is after years of security awareness training and high-profile breaches.[2] People do not naturally change their habits. Tools change habits.
Common Objections (And Why They Don't Hold Up)
"What if the password manager gets hacked?"
Password managers encrypt your vault with your master password before it ever leaves your device. Even if a password manager's servers were breached, attackers would get encrypted blobs they can't read. This is fundamentally more secure than a spreadsheet or a sticky note.
"I don't trust putting all my eggs in one basket."
Your eggs are already in one basket — the basket of "passwords I can remember," which is a basket with holes in it. A good password manager with MFA is a dramatically stronger basket.
"It's too complicated for my team."
Modern password managers have browser extensions that autofill credentials. For most employees, using a password manager is actually easier than remembering passwords — the friction of adoption pays for itself within a week.
What We Recommend
For small businesses, tools like Bitwarden Business or 1Password Teams offer solid enterprise features at reasonable price points. For our managed IT clients, we handle deployment, policy configuration, and onboarding so the rollout doesn't fall on the business owner's desk.
Combined with MFA — which we've written about separately — a password manager closes one of the most commonly exploited doors in small business IT. It's not glamorous. It's not exciting. It works.
References
- Verizon, Data Breach Investigations Report 2024. "Over 80% of hacking-related breaches involve compromised credentials." verizon.com/business/resources/reports/dbir/
- NordPass, Top 200 Most Common Business Passwords 2023. Analysis of corporate password databases. nordpass.com/most-common-passwords-list/