Part of the 30-Day SME Cyber Security Series
If MFA is your deadbolt…

👉 **Password management is the key discipline that stops attackers getting to the door in the first place.**

Right now, most businesses rely on:

* Reused passwords
* Shared logins
* Sticky notes, spreadsheets, or memory

That’s not just risky — it’s exactly what attackers expect.

—

## What’s the Real Problem?

It’s not that passwords are weak.

It’s that they are:

* **Reused across multiple systems**
* **Shared between staff**
* **Stored insecurely**

So when ONE system is breached…

👉 Attackers try the same credentials everywhere else.

This is called:

> **Credential stuffing**

And it works — a lot.

—

## What This Looks Like in the Real World

### 🔐 Example: The Domino Effect

An employee signs up to a third-party website using:

* Email: work address
* Password: same as business email

That website gets breached.

Now attackers have:

* Email
* Password

They try logging into:

* Microsoft 365
* MYOB
* Xero

👉 And they get in.

No hacking required.

—

### 💸 Example: Shared Passwords

A team shares a login for:

* Accounting software
* Supplier portals

A former employee still has access.

Or worse — the password leaks externally.

👉 You now have **no control over who can access your systems**

—

## The Hard Truth

> Passwords are not secure by default.
> They are only secure if they are **unique and managed properly**.

—

## The Fix: Use a Password Manager

A password manager:

* Generates strong, unique passwords
* Stores them securely
* Auto-fills them when needed

👉 Users only need to remember **one master password**

—

## Recommended Tools (Simple + Proven)

### 🔐 Business-Ready Options:

* **1Password (Business)**
* **LastPass (Teams / Business)**
* **Bitwarden (Business / Open Source option)**

—

### 👤 For Smaller Teams / Individuals:

* **Google Password Manager** (basic)
* **Microsoft Edge / Chrome built-in** (better than nothing)

—

👉 **Best balance for SMEs:**
Use **1Password or Bitwarden**

—

## Step-by-Step Setup (Practical)

—

### 🔹 Step 1: Choose Your Tool

Pick ONE:

* 1Password
* Bitwarden
* LastPass

👉 Don’t overanalyse — just choose and start

—

### 🔹 Step 2: Set Up Your Business Vault

* Create company account
* Set up shared vaults:

* Finance
* Admin
* Operations

👉 Control who can access what

—

### 🔹 Step 3: Add Your Existing Logins

Start with:

* Email
* MYOB / Xero
* Banking
* Cloud systems

👉 Import or manually add credentials

—

### 🔹 Step 4: Generate New Passwords

For each system:

1. Open password manager
2. Generate a **new strong password**
3. Replace the old one
4. Save it securely

👉 Every system gets a **unique password**

—

### 🔹 Step 5: Enable MFA (From Week 1)

Password manager + MFA = **powerful combination**

—

### 🔹 Step 6: Roll Out to Staff

* Install browser extension
* Provide 10-minute training
* Show how to:

* Save passwords
* Autofill logins

—

## 🔧 What a “Good” Password Looks Like Now

Forget:

* “Password123”
* “CompanyName2024”

👉 You don’t need to remember it anymore.

A good password is:

* Long
* Random
* Unique

Example:

> `T9!xP#4LmQ2@vZ8`

You’ll never remember it — and that’s the point.

—

## ⚠️ What Most Businesses Get Wrong

—

### ❌ 1. Still reusing passwords “just for a few systems”

This defeats the entire purpose.

👉 **Fix:** Every system = different password

—

### ❌ 2. Sharing passwords via email or SMS

* Easily intercepted
* No audit trail

👉 **Fix:** Share via password manager vaults

—

### ❌ 3. Not removing access when staff leave

Ex-employees still have:

* Saved credentials
* Access to systems

👉 **Fix:** Disable access immediately and rotate passwords

—

### ❌ 4. Overcomplicating it

Teams get overwhelmed:

* Too many rules
* Too much change

👉 **Fix:** Keep it simple:

* One tool
* One process

—

### ❌ 5. Not backing up access

If the master account is lost:

* You’re locked out

👉 **Fix:**

* Set recovery options
* Assign an admin backup account

—

## 🧠 Simple Rule for Your Business

> If two systems share the same password — you have a vulnerability.

—

## What You Should Do This Week

### Day 1:

* Choose a password manager

### Day 2:

* Set up company vault

### Day 3–4:

* Add key systems

### Day 5:

* Replace passwords with unique ones

### Day 6:

* Roll out to staff

### Day 7:

* Clean up shared / old credentials

—

## The Outcome

After just one week:

* Password reuse → **eliminated**
* Credential attacks → **significantly reduced**
* Access control → **improved immediately**

—

## Final Thought

Cybersecurity isn’t about remembering better passwords.

It’s about:

👉 **Not needing to remember them at all**

—

**Next:**
👉 *Week 3: If You Get Ransomware Tomorrow, Could You Recover?*

Link to previous post Week 1: Lock the Front Door — MFA Setup Guide for SMEs

**Need help setting this up across your business?**
IQ People helps SMEs implement simple, effective cybersecurity practices — without complexity.