Password management in a nutshell
Use a password manager to create and store strong, unique passwords for every account. Enable multi-factor authentication when available and learn to spot social engineering scams. This combination gives you the strongest protection with the least friction, allowing you and your employees to secure accounts without relying on weak, reused passwords.
It’s easy to feel overwhelmed by the number of online accounts you maintain for business and personal use. Between social media, streaming platforms, news sites, banking, shopping, and all manner of apps, memberships, and subscriptions, it’s not possible to remember so many passwords.
One popular solution is to use weak, easy-to-remember passwords, or repeat the same password across dozens of accounts, but these ‘solutions’ only make your accounts easier to hack: If one site is compromised, then all your accounts using the same credentials are also compromised.
Fortunately, there are plenty of ways to keep your passwords and accounts secure, and they’re easy to set up and manage.
What you need to know
- Use a password manager to generate and store unique hashes for all accounts.
- Popular password managers with zero-knowledge end-to-end encryption include 1Password, Bitwarden, Dashlane, Enpass, LastPass, NordPass, and Proton Pass.
- Paid plans for businesses using these apps start at $1.99 per user, but can cost up to $9 per user or more based on your business size and needs.
- To further protect your accounts, enable multi-factor authentication (MFA) when available and learn to spot common social engineering scams.
How to create a strong password
A strong password is one that fulfills the following requirements:
- 15+ characters long. Most sites require passwords that are at least 8 characters long, but passwords that are double that length (or more) are exponentially more difficult for hacking software to crack.
- Combines character types. Hackers are well-equipped to guess predictable sequences of letters—to through them off, mix uppercase, lowercase, numbers, and special characters.
- Unpredictable. Much like Large Language Models, password cracking software is trained to decipher language based on predictability. Using common phrases and character replacements makes your passwords vulnerable.
- Unique to one account. Do not reuse passwords across accounts, especially sensitive accounts like those used for banking, business, and identification.
Given these, the best option for a strong password is to use a 15-character-or-longer hash for each account. Hashes are randomized strings of characters, making them difficult to crack. For example, a password cracking software running on a modern computer could decode the simple 9-character passphrase yankeefan within five minutes. A 16-character version that uses symbols and numerals, #1worldyankeefan, could take as long as five years to crack—the 16-character hash, *AWf2pCdXXGTne1E, up to five hundred years.
Use a password manager
Account theft can be dire, but having to remember hundreds of hashes might seem even more oppressive. Instead, use a password manager. That way, you’ll only need to remember one master password to access your vault, where your credentials are protected using zero-knowledge end-to-end encryption, meaning even the password manager’s developers can’t see your information.
Best password managers for small businesses
Popular password managers include 1Password, Bitwarden, Dashlane, Enpass, LastPass, NordPass, and Proton Pass. Each of these apps includes a desktop app, a mobile app, and a browser extension, allowing you to seamlessly access your vault wherever you’re working. All are compatible with Windows, iOS, and Linux.
| Password manager | Monthly cost for business plans (billed annually) |
|---|---|
| 1Password | Business: $7.99 flat rate Teams: $19.95 flat rate |
| Bitwarden | Teams: $4 per user Enterprise: $6 per user |
| Dashlane | Password management: $8 per user Enterprise: Contact for custom pricing |
| Enpass | Business Plan: $1.99 per user Large Enterprises: Contact for custom pricing |
| LastPass | Teams: $4.25 per user Business: $7 per user Business Max: $9 per user |
| NordPass | Teams: $1.99 per user Business: $3.99 per user Enterprise: $5.99 per user |
| Proton Pass | Pass Essentials: $1.99 per user Pass Professional: $4.49 per user |
If your business uses Google Suite, you may be tempted to use the free and integrated Google Password Manager, but this application does not use zero-knowledge encryption, nor does it enable end-to-end encryption by default. Many internet browsers also offer integrated password managers, but these pose similar security risks. Use the browser extension for your dedicated password manager instead.
Why should I securely store my passwords?
You may be wondering whether password security is worth the headache. First, using a password manager ensures that managing unique sign-in credentials is easier and simpler than ever before. Second, a data breach resulting from poor password security can erode your business’s credibility among customers and vendors, and fixing such a breach can mean substantial legal, technical, and reputational expenses.
Don’t panic—just by using a password manager to generate and store hashed passwords, your business will be generally protected from attacks like these:
- Account takeover fraud: Weak or reused passwords make it easy for attackers to access your accounts and lock you out.
- Financial fraud: Hackers can initiate unauthorized payments, withdrawals, or purchases from compromised accounts.
- Credential stuffing attacks: If you reuse passwords, a breach on one site can expose multiple accounts.
- Data breaches: Sensitive business and customer data can be accessed, stolen, or leaked.
- Identity theft: Attackers can impersonate your business to open accounts, apply for credit, or commit fraud.
- Operational disruption: You may lose access to critical tools (banking, payroll, email), slowing or halting operations.
More password management best practices
The possibility of an account hack shouldn’t keep you awake at night. If you and your employees use a password manager filled with strong passwords, your business will be much safer than most, but strong passwords aren’t your only shield from cyberattacks. Here are three easy ways to improve your business’s password security even more:
1. Don’t require regular password changes
Until recently, conventional wisdom encouraged business owners to mandate changing passwords every six months or so. This is no longer the consensus among cybersecurity experts, who suggest mandatory password changes only if a website or account has been compromised. The reason for this change is that it can take your employees or customers a long time to change all of their passwords, which encourages half-hearted password security practices.
In 2024, the National Institute of Standards and Technology, a standards agency of the United States Department of Commerce, issued a new draft of SP 800-63, Revision 4: a proposed update to the cybersecurity guidelines that govern federal information systems. For business owners who want up-to-date cybersecurity guidance, Section 3: “Authenticator and Verifier Requirements” is an in-depth, applicable resource.
2. Enable multi-factor authentication when available
In cybersecurity, an authenticator is anything that you possess that can prove your identity. A password is one type of authenticator. Many accounts allow you to use an additional authenticator by enabling multi-factor authentication (MFA).
You’ve probably used MFA before—the most common additional authenticators used include:
- A one-time password (OTP) accessed via an authenticator app, email, or SMS
- Biometrics, such as facial or fingerprint recognition
- A second password, pattern, or PIN
Which authenticator app should you use for business?
Use any authenticator app that employs zero-knowledge end-to-end encryption, such as Aegis (Android only), Authy, Bitwarden Authenticator, Ente Auth, and Proton Authenticator. Only install authenticators on devices accessible by you and no one else.
Duo Mobile, Google Authenticator, and Microsoft Authenticator do not use zero-knowledge end-to-end encryption, and are therefore not recommended.
3. Learn to spot social engineering scams (and never share your password)
Train yourself and your team to recognize social engineering scams, such as spoofing attacks and pig butchering scams. Don’t give out personal or sign-in information unless you’ve verified where the message is coming from. If you need multi-user access to a platform, use one that supports unique sign-in credentials for each user.
Neither Bluevine nor any reputable company will ever ask for your password.
Secure business checking with with MFA, 256-bit encryption, and dedicated sign-in credentials for your team.
Password security FAQs
Small businesses should use a password manager that uses zero-knowledge end-to-end encryption, such as Bitwarden, Proton Pass, LastPass, 1Password, NordPass, Enpass, or Dashlane. Each of these options has business-friendly plans for sharing, MFA support, and vault controls, and is compatible with Windows, iOS, and Linux.
For password managers that use zero-knowledge end-to-end encryption—including 1Password, Bitwarden, LastPass, NordPass, Dashlane, Enpass, and Proton Pass—the provider cannot read your passwords. Password managers such as Google Password Manager use encryption but not a zero-knowledge form.
Google Password Manager is convenient, free, and integrated with Google Chrome and the Google Suite. However, it is not as business-focused or private as other dedicated password managers, and lacks the same depth of admin controls and shared-vault workflow.
NordPass, Bitwarden, Proton Pass, Dashlane, and LastPass all have strong shared-vault or secure-sharing workflows. If you want built-in authenticator support plus business sharing in one place, NordPass, Bitwarden, and Proton Pass are especially clean fits.
Being open source can give you more transparency into a software’s security model. That does not automatically make the security of proprietary products weak, but open source password managers such as Bitwarden can be attractive if your business values auditability and privacy.
