Passwords are a solved problem. The solution exists, it is affordable, and most businesses are not using it. Meanwhile, compromised credentials remain the single most common cause of data breaches — not because attackers are especially sophisticated, but because the passwords they encounter are genuinely easy to crack.
Fixing this does not require technical expertise. It requires a password manager and about an hour of setup.
The Scale of the Problem
The numbers around password habits are consistently grim. Studies by the NCSC and various security researchers find that millions of people use “password”, “123456”, or their own name as credentials for business accounts. Surveys of breached credential databases show that enormous proportions of users reuse the same password across multiple services.
Reuse is the critical issue. When a website you registered for five years ago suffers a breach — and hundreds of thousands of sites have — attackers take the email and password combinations from that breach and systematically try them against banks, email accounts, cloud storage, and business applications. This is called credential stuffing. It is automated, fast, and devastatingly effective against anyone who reuses passwords.
How Attackers Crack Passwords
Brute force involves trying every possible combination until the correct one is found. Short passwords — six or seven characters — can be cracked in seconds with modern hardware. Length matters far more than complexity.
Dictionary attacks take wordlists — common words, known passwords, names, sports teams — and try them systematically, often with character substitutions (replacing “a” with “@”, for instance). If your password follows a predictable pattern, it will appear in a wordlist somewhere.
Credential stuffing uses credentials stolen from previous breaches rather than trying to guess. If you have used the same password on multiple sites, a breach of any one of them gives an attacker access to all of them.
Phishing bypasses all of the above by simply tricking you into entering your credentials directly into a fake site. A strong password offers no protection against this if you type it into the wrong box.
What Makes a Password Strong
Length is the dominant factor. A random 16-character password is astronomically harder to brute-force than an 8-character password that includes symbols. The mathematics is straightforward: each additional character multiplies the number of possible combinations.
Passphrases are an accessible approach: four or five random words strung together (“correct-horse-battery-staple” is the famous example) create a password that is long, relatively easy to remember, and resistant to brute force. They work well for accounts you must memorise, such as your master password.
For everything else — every website, every application, every account — the password should be random, unique, and generated by a machine. No human can reliably generate or remember hundreds of random passwords. That is precisely what a password manager is for.
What a Password Manager Does
A password manager stores all your passwords in an encrypted vault, protected by a single master password (and ideally multi-factor authentication). It generates strong, unique passwords for every account and fills them in automatically. You remember one password; it handles the rest.
The vault is encrypted locally before it is transmitted anywhere. A reputable password manager provider does not have access to your passwords — even if their servers were compromised, the encrypted vault would be useless without your master password.
Recommended Options
Bitwarden is open source, free for individuals, and very affordable for teams. It is independently audited, well-regarded in the security community, and has apps for every platform. For most small businesses, it is the natural starting point.
1Password is a paid option (around £4–£8 per user per month depending on the plan) with a polished interface, strong team management features, and an excellent security track record. Popular with businesses that want a more guided experience.
Dashlane offers a similar feature set to 1Password and includes dark web monitoring — checking whether your email addresses have appeared in known breach datasets — in its paid tiers.
All three are substantially more secure than the alternative of reusing passwords or keeping them in a spreadsheet.
Rolling It Out to a Team
The business case is simple: a single compromised credential can unlock email, cloud storage, financial accounts, and business applications. The cost of prevention is trivial compared to the cost of a breach.
Start with a team account on Bitwarden or 1Password. Invite staff, ask them to install the browser extension, and set a date after which the expectation is that all business account passwords live in the manager. Run a short session — 20 minutes is sufficient — on how to use it. Focus on the browser extension autofill, which is where most resistance evaporates once people realise how much faster it makes logging in.
Establish a policy: no shared passwords, no writing passwords down, all business accounts use the password manager.
The Common Objection
“What if the password manager gets hacked?”
The risk exists but is managed. Reputable providers use zero-knowledge architecture — they cannot read your vault. Bitwarden, 1Password, and Dashlane have all been independently audited. No major password manager has suffered a breach that exposed unencrypted user passwords.
Compare this to the near-certainty of a breach when passwords are reused across dozens of accounts. The concentrated risk of a password manager is far smaller than the distributed risk it replaces.
Combining With MFA
A password manager eliminates the risk of password reuse and weak credentials. Multi-factor authentication (MFA) eliminates much of the remaining risk — including phishing, where a password might be entered into a fake site. Used together, they address the two most common routes into a business account.
Make MFA mandatory on your password manager itself. Most reputable options support authenticator apps, hardware keys, and biometrics.
| DreamThieves can help your team implement password management and MFA across all business accounts, and verify that your current credentials have not already been compromised. Visit www.dreamthieves.uk. |
A specialist from the DreamThieves cyber security team.