Business IT Support in Toronto, Durham Region +

Password Security Tips For Small Business

password login screen

A single password can unlock access to your network, email and company data.

Every password should be created and managed with that in mind. This article offers up to date password research and password security tips for small business owners to help you improve data security.

Are all your staff members using strong passwords? Password hacking is one way cybercriminals gain access to accounts. A well-developed password policy can help you combat this threat.

Strong IT security has multiple layers. Where one fails, another succeeds at stopping a breach. Your password policy is one layer. These tips will help you develop your small business password policy.


In some cases, MFA  is now mandatory, and that is a win for IT security.

The info in your company email and accounts is valuable. Deals, financial records, account numbers, client contact information. The loss potential is enormous.

MFA or 2FA can help prevent unauthorized users from accessing company mailbox or other data in the cloud. While there are some ways to spoof and bypass 2FA via text message, for the most part, MFA remains effective in protecting accounts, even when a account password is breached or leaked on the dark web.

2FA is free to setup and use with mobile apps. Simply install Microsoft or Google authenticator from app store and then follow the guide.  Use MFA on every account it is available on.

Do Not Use These Words

Below are lists of the top most commonly cracked and leaked to the darkweb passwords. Ensure your team is not using these common words of passwords, including words like password, admin, letmein and character strings like qwerty, 123456, and password123.

image of text - list of banned words for secure passwords

The Best Way To Use Numbers & Symbols In Passwords

When the recommendation to add numbers, symbols and upper case characters to passwords first came out, they helped for awhile. However, the character swaps were predictable, and in a few years, automated password cracking tools could easily predict these character swaps.

For example, going from “apple” to “@pple” or from “password” to “Password1234” improved security for awhile. Soon, automated software made these simple character swaps easy to crack. 

Now we know that adding complex characters is only effective when the passwords is long and strong enough overall.

These predictable swaps are easy to crack with today’s automated password cracking tools.

Character swaps must be unpredictable, in already secure passwords made of random words or strings of characters.

Always use numbers and special characters in addition to an already strong password, and in unexpected places, not as a substitution for a character.

e.g. ‘3teal hEadSnaKes and iCe 4739@’ is a good example of a password using random words and upper case and numerical characters in unexpected places. “Password1234” is not.

How long should a password be?

Building on random and unpredictable characters, we still need to use recommended minimum password lengths to keep malicious users from brute force accessing their way into your accounts.

Previously, 8 character passwords were recommended, however research has shown that 10 + character passwords are significantly harder to crack. In 2017, it would have taken 4 years to crack a 10 character password. Not anymore.

Every account needs a 12 character or longer password with at least one:

  • Symbol
  • Number
  • Upper case character
  • Lower case character


Anything less is too much risk.

Reused Passwords Create Risk

You do not want anyone on your team to use the same password for any two accounts because this makes life easier for cyber criminals. It’s like giving them a master key to multiple accounts.

Let’s say Joe uses his home computer password as his work computer password as well. Joe visits lots of entertainment sites on the weekend, some of which inject drive by malware on to Joe’s computer. Eventually, his personal email address is compromised. From there, hackers discern Joe’s place of employment. They target that account. Because Joe reused his password, they get in. Now your business is compromised.

Encourage staff to use strong passwords with these 3 tips. 


Create an Acceptable Use Policy and Password Policy as part of your HR manual. Use them to raise awareness and compliance.


Make it easier for them by using a password manager for teams


Make it easier for them by using Single Sign On. SSO also makes staff offboarding easier and more secure for your business.

How Often You Should Change Passwords

Just a few years ago, it was thought that password age had a significant impact on password security. Most Network Administrators set passwords to expire every ninety (90) days to thwart any password cracking software running unnoticed on a network.

New research shows that if password length and strength is sufficient, it can take years to crack a password.

Less frequent changes of long and secure passwords lessens the burden on staff.

The caveat is that every person on your team must follow secure password protocols. Are they?

Centralized User Authentication & Identity Management

With Azure Active Directory and Microsoft InTune, additional authentication parameters can be added to protect your business. For example, even with the right password, a device logging in from a different country or from a device not listed in your company’s IT fleet will be blocked. This reduces risk when a password is compromised. 

Here at TUCU Managed IT Services in Toronto, we use Identity Management tools and apply these types of conditional access policies for all our fully managed IT  clients. Reach out to speak to us about your IT and cloud security.


More Posts

Free Consultation

Get IT Solutions for your business.