hands typing a password on computer

In our article Why Growing Businesses Stand to Save Big by Being Proactive with Security, we looked at a few ways businesses can engage IT professionals to help beef up their security against costly cyberattacks.

“It’s true that no business is completely immune to an attempted attack. However, some have more to lose: 60% of small businesses go out of business within six months of a cyberattack. It’s those without a good defense or recovery plan that often can’t bounce back. So what can they do to protect themselves?”

Firewalls, encrypted connections, and breach-detection measures are all smart investments that can help keep your business more secure. But one of the biggest security threats to businesses by far—in fact, it’s responsible for 81% of hacking-related breaches—comes from the inside.

The culprit is weak passwords. Businesses can make all the security upgrades money can buy, but if employee password behaviors are leaving them vulnerable, those efforts will be moot.

There’s a simple solution many companies overlook: enforcing strong passwords with a password manager.

What Makes Passwords Weak?

Breaches are crippling U.S. businesses, with the average cost of a breach exceeding $7 million. A review of the evidence from these breaches points to weak passwords as a leading cause.

Passwords are considered weak or easily guessable if they…

  • Are too short
  • Use “dictionary” words or simple passphrases
  • Don’t use enough different characters or numerals
  • Use obvious, easy-to-guess replacement characters (e.g., “F@v0r1t3” instead of “Favorite”)
  • Include personally identifiable information such as a street address, a family member’s name, or a pet’s name
  • Are used in multiple places (such as personal and work accounts)
  • Include the username for the account
  • Use repeated characters or sequential letters or numbers (e.g., 1234, ABCD)
  • Are stored on your laptop in an unencrypted file, on paper, or in your browser

You’re probably wondering how it’s possible to verify employees are using strong passwords without invading their privacy. There is a way to enforce certain behaviors and ensure they’re not reusing passwords across accounts: enterprise-grade password managers.

How Password Managers Can Help

With weak passwords leading to more breaches, if you’re not taking steps to enforce strong passwords, you’re leaving your business vulnerable.

“Among the simpler precautions small businesses and consumers alike can take [to prevent data breaches] is to create strong passwords. That has long been the advice of security experts but many say it is stunning how many people and small businesses fail to heed the advice.” “No Business Too Small for a Breach,” the New York Times

Password managers support better password habits, which make life difficult for data thieves. And they don’t require you to implement complex, time-consuming password policies that are difficult to enforce—especially in employees’ personal lives, where people commonly use the same passwords they use for work.

There are password managers for businesses of all sizes, with some that offer convenient administrative oversight to IT and security departments.

Some of the features can be pretty convenient:

  • Users can create complex passwords for each account or have them auto-generated. Each user can store passwords for multiple apps and sites, all protected behind a master password he or she creates.
  • Randomly generated unique passwords for each account prevent the reuse of simple, easy-to-remember passwords, which was the cause of the 2016 Dropbox breach. Some password managers even allow employees to create separate “areas” for personal and business passwords, then block passwords from being shared between the two.
  • Automatic, secure log-ins mean users do not need to remember or enter passwords each time.
  • When it’s time to change a password, a password manager can automatically update it so employees don’t have to.
  • Some password managers give employees scores for their passwords, with low scores for those being reused for multiple accounts. Admins can be notified of low scores to make sure those get improved.
  • If a master password is forgotten, there are secure account-recovery options.
  • No storing of passwords in an unprotected, local file or on paper that can easily be lost. Password managers typically encrypt the passwords in the cloud.
  • The password manager will send an alert whenever a site for which a password is saved suffers a security breach.