Is Your Business Protected by a Post-It Note?

Introduction

Passwords serve as the digital keys to your business, yet many small and medium-sized businesses (SMBs) leave these keys unguarded. Common oversights—such as weak passwords, reused credentials, and neglecting multi-factor authentication (MFA)—can lead to significant cybersecurity breaches. The good news is that these issues are easily rectifiable.

The Dangers of Weak and Reused Passwords:

A 2025 analysis by CyberNews revealed that 94% of leaked passwords were reused across multiple accounts. This means a single compromised password can unlock multiple systems. Alarmingly, passwords like "123456" or "Password1" remain among the most commonly used globally and can be cracked in seconds.

For SMBs, the implications are severe. A single compromised employee login can escalate into a company-wide breach, leading to data leaks, financial losses, and potential ransomware attacks.

Sources: Cybernews, Microsoft, Okta

Common Workplace Password Pitfalls

• Reusing passwords across systems

• Sharing credentials via email or chat

• Skipping MFA where available

• Failing to update passwords regularly

• Saving passwords in spreadsheets or unsecured documents

These habits aren’t just risky — they’re avoidable.

Implementing Effective Solutions:

• Adopt Passphrases: Encourage the use of long, memorable phrases (e.g., "GreenCoffee!Fence42") instead of short, complex passwords. According to the NIST 2023 guidelines, passphrases of 12 characters or more are both secure and easier to remember.\

• Mandate MFA: Despite MFA preventing 99% of account takeovers, only 66% of workforce users had it enabled in 2024. Ensure MFA is activated across all critical systems.

• Utilize Password Managers: Tools like 1Password, Bitwarden, or LastPass allow employees to store and manage unique passwords securely. These managers support best practices, enable prompt password rotation, and aid in selecting complex passwords. 

• Conduct Regular Training: Short, practical training sessions can significantly improve password hygiene. Educate employees on identifying and rectifying unhealthy password habits.

• Establish a Clear Password Policy: Define rules regarding minimum length, required complexity, password change frequency, and storage methods. Integrate this policy into the onboarding process.

Real-Life Example:

Consider the 2023 data breach at 23andMe, where approximately 14,000 user accounts were initially compromised due to reused usernames and passwords from previous data leaks. This breach expanded exponentially, exposing sensitive personal and genetic data of approximately 5.5 million users. The attack underscores the increasing threat of credential stuffing, exacerbated by poor password hygiene and the absence of robust security measures such as MFA.

Conclusion:

In an era of evolving cyber threats, simple habits can offer robust protection. For SMBs, enhancing password practices transcends IT concerns—it's a pivotal business priority.

Empowering your team to adopt strong passphrases, enable MFA, and manage credentials responsibly establishes a human firewall as vital as any software solution.

Cybersecurity success stems from consistent practices. The optimal time to fortify these habits is now.

At Armour Cybersecurity, we specialize in assisting businesses to implement practical training, deploy secure tools, and cultivate a culture of security from the ground up. Contact us to strengthen your team's password habits and overall cybersecurity posture.

 Password Habits Q&A

1. Q: Why are reused passwords such a big deal if they’re strong?

A: Even strong passwords become dangerous if reused. If one site you use is breached — and that password is leaked — attackers will try it on other sites using automated tools. This is known as a “credential stuffing” attack, and it’s one of the most common methods cybercriminals use to gain access to business systems.

2. Q: Is multi-factor authentication (MFA) really necessary for every account?

A: Yes — especially for email, cloud tools, and admin accounts. MFA stops over 99% of credential-based attacks, according to Microsoft. It adds an extra layer of security by requiring something you know (your password) and something you have (a code, token, or app approval).

3. Q: What's the difference between a password and a passphrase?

A: A password is usually a short string of random characters (e.g., “Xy!7eR#”). A passphrase is longer and often easier to remember — like “CoffeeTable!Shark52.” According to NIST, a 12+ character passphrase is often more secure and user-friendly than a complex but short password.

4. Q: We use shared team accounts. How can we manage those securely?

A: Ideally, each user should have individual access, but if shared accounts are unavoidable, use a team-based password manager like Bitwarden Teams or 1Password Business. These tools allow secure sharing, audit trails, and automatic password generation — all without exposing credentials in plain text.

5. Q: How often should passwords be changed?

A: It depends. If you’re using MFA and unique passwords via a password manager, regular changes aren’t always necessary. But if a breach is suspected or an employee leaves the company, update passwords immediately. Set policies that balance security with usability.