Do you need help & advice with Cybersecurity or IT Management?
Key Takeaways
- Never reuse passwords. One breached account should never mean all your accounts are compromised. Every account needs its own unique password.
- Use a password manager. It is the only practical way to have strong, unique passwords for every account. We recommend Keeper Security for businesses.
- Make passwords long, not complicated. Three random words strung together (the “correct horse battery staple” method) are easier to remember and harder to crack than a short string of symbols.
- Use phishing-resistant MFA. An authenticator app is good. Passkeys or a hardware key like a YubiKey are better – they cannot be stolen by a fake login page.
Managing passwords for a business is a real headache, isn’t it? You’ve got employees using different devices, accessing various services, and the pressure to keep everything secure is immense. One slip-up, and you could be looking at a massive data breach, not to mention the damage to your company’s reputation. This is where a business password manager comes in, acting as a digital bodyguard for your organisation’s sensitive information. But what exactly is it, and how does it actually slash your cyber risk?
The Password Problem: Why Your Business is More Exposed Than You Think
Password security remains one of the most persistent and underestimated vulnerabilities in UK business IT. Despite widespread awareness of the risks, the same patterns recur across organisations of every size: passwords reused across multiple accounts, simple passwords chosen for convenience, credentials shared between colleagues, and no systematic process for managing or rotating access when staff leave.
The consequences are well-documented. The UK’s National Cyber Security Centre (NCSC) consistently identifies credential compromise as one of the leading causes of cyber incidents affecting UK businesses. When an attacker obtains a valid username and password – whether through a phishing attack, a data breach at a third-party service, or brute-force techniques – they have legitimate access to your systems. No firewall will stop them.
Find Out How Exposed You Really Are: Our Password Audit Service
Most business owners are surprised – and usually a little alarmed – when they see the results of a password audit. We can run an audit against your user accounts to identify weak, reused, or commonly breached passwords that are putting your business at immediate risk right now. But it goes further than just checking password strength. We can also scan your file systems and shared drives to detect where staff are storing passwords in plain sight – whether that’s a spreadsheet labelled ‘passwords.xlsx’, a text file on the desktop, or a shared Word document that’s been sitting on the server for years. It’s a problem in almost every business we work with, and most owners have no idea it’s happening. The audit gives you a clear, concrete picture of your real exposure – and a compelling reason to act.
Block Bad Passwords in Microsoft 365
If your business uses Microsoft 365, there’s a quick win available that many organisations don’t know about. Microsoft Entra ID (formerly Azure AD) includes a built-in banned password list that automatically prevents users from setting commonly used or easily guessed passwords. You can also add your own custom banned words – your company name, your town, your industry – to close off the obvious guesses. This won’t replace a password manager, but it’s a fast, free layer of protection that every 365 customer should have switched on.
How to Create a Password That’s Actually Secure: The Three Random Words Method
Let’s be honest, trying to remember a different, complex password for every single online account is a nightmare. Most people end up using variations of the same few passwords, or something simple like a pet’s name or a birthday. The hard truth is that if you can remember a password, it’s probably not a good one. Hackers know this. They use automated tools that can guess these weak passwords in seconds.
Instead of trying to remember complicated strings of characters, the NCSC recommends using a passphrase made of three random words. It’s a method often called the “correct horse battery staple” method. It’s incredibly simple and effective:
- Easy to remember: “Coffee-Window-Holiday” is far easier to recall than “J%7*pL!4”.
- Incredibly hard to crack: A three-word passphrase has a vastly larger number of possible combinations than a short, complex password, making it resistant to brute-force guessing attacks.
The problem? You still need a different three-word passphrase for every single service you use. And that’s where a password manager becomes essential.
What a Business Password Manager Actually Does
A business password manager is a centralised, encrypted vault that stores credentials for all the applications and services your organisation uses. It generates strong, unique passwords (or passphrases) for each account, autofills them when required, and provides administrators with visibility and control over organisational credentials. The key capabilities are:
- Strong, Unique Password Generation: Automatically creates cryptographically strong, random passwords or three-word passphrases for every account. Because the password manager remembers them, staff do not need to.
- Centralised Credential Management: When a member of staff leaves, an administrator can immediately revoke their access to shared credentials without needing to change every password manually. This is a critical security step for offboarding.
- Secure Credential Sharing: Allows credentials for shared accounts (like social media or supplier portals) to be shared securely between authorised users without the password itself ever being visible.
- Dark Web Monitoring: Most enterprise password managers include dark web monitoring that alerts you when a stored credential appears in a known data breach, enabling immediate password rotation.
What Features Does Keeper Password Manager Have?
The market for business password managers is mature, but not all solutions are created equal. We recommend Keeper Security to our clients – it is the solution we use and trust ourselves. When evaluating any password manager for business use, here are the features that matter:
- Zero-Knowledge Architecture: This is the most important feature. It means the password manager company itself cannot access your stored passwords, even if they wanted to. Your data is encrypted and decrypted on your device, not on their servers.
- Admin Console and Role-Based Access: You need a central dashboard to enforce password policies, manage user access, and audit credential usage across the organisation. The ability to set granular permissions (who can see what) is essential.
- Active Directory (AD) Integration: For seamless user provisioning and management, the password manager should integrate with your existing AD or Azure AD environment.
- Family Plan for Staff: One of the best ways to encourage good password hygiene is to provide a free family plan for your staff to use at home. This helps them secure their personal lives and brings the security mindset back to the office.
A password manager is the foundation of good credential security, but it’s not the whole story. To build a truly resilient defence, you need to layer other controls on top.
MFA: The Deadbolt on Your Digital Door
Multi-Factor Authentication (MFA) is like a deadbolt on your door. Even if an attacker steals your password (the key), they still can’t get in without the second factor – usually a code from an authenticator app on your phone. For any critical business system, MFA is not optional.
Passkeys: The Password That Can’t Be Phished
Passkeys are the next evolution in account security. A passkey never leaves your device and never gets typed into a website – so there is literally nothing for a phishing page to steal. It’s like a nightclub stamp that only shows up under the real club’s UV light – a fake club can’t copy it. This is where you future-proof your security and protect against even the most sophisticated phishing attacks.
Don’t Forget Your Social Media Accounts
A compromised LinkedIn or Facebook Business page can be used to scam clients and cause serious reputational damage. Make sure these accounts are secured with a strong, unique password from your password manager, have MFA enabled, and that you regularly review who has access.
Cyber Essentials, the UK government-backed certification scheme, sets specific requirements for password security. Organisations must demonstrate that all accounts are protected by passwords that meet minimum complexity requirements, that default passwords on devices and software are changed before deployment, and that there is a process for managing compromised credentials. A business password manager, combined with a documented password policy, makes meeting these requirements straightforward and auditable.
Frequently Asked Questions
For most UK small businesses, the best password manager is one that combines zero-knowledge security with a user-friendly interface and strong administrative controls. We recommend Keeper Security – it offers an admin console for policy enforcement, Active Directory integration for easy user management, a family plan for staff to use at home, and dark web monitoring built in. It is the solution we use ourselves and deploy for our clients across the UK. If you would like to see it in action, get in touch and we can arrange a demonstration.
Yes. MFA protects against an attacker using a stolen password, but it doesn’t stop the password from being stolen in the first place. Strong, unique passwords for every account, managed by a password manager, is a required layer of defence.
This is why you must choose a provider with a zero-knowledge architecture. If the provider is breached, the attackers only get a meaningless blob of encrypted data. They cannot access your actual passwords.
A business password manager allows you to share credentials securely. Team members can use the password without ever seeing it, and access can be revoked instantly when they leave the team or the company.
Choose a tool with excellent browser integration that makes it seamless to use. Providing a free family plan is also a powerful incentive for adoption.
Google’s built-in password manager in Chrome saves passwords for convenience, but it is not a business-grade solution. It lacks an admin console, zero-knowledge encryption, role-based access controls, and the ability to manage or audit credentials across your organisation. For a business, a dedicated password manager is essential.
Yes – when you choose one with zero-knowledge architecture, your passwords are encrypted on your device before they ever reach the provider’s servers. Even if the provider were breached, attackers would only find encrypted data they cannot read. Combined with a strong master password and MFA on your vault, a business password manager is far safer than the alternatives.
