Password Security: What Every Business Owner Should Know
4 min read
Passwords Still Matter (a Lot)
In a world of fingerprint scanners and face recognition, it's tempting to think passwords are yesterday's technology. They're not. Passwords are still the primary way most of your online accounts are protected, and a weak password strategy is one of the easiest ways to get hacked.
The average business owner has dozens of accounts — email, banking, hosting, social media, accounting software, domain registrar, and on and on. Each one is a potential entry point for an attacker.
What Actually Makes a Strong Password
Here's something that surprises most people: length beats complexity. A long password with regular words is harder to crack than a short one with random symbols.
P@$$w0rd! — Looks strong, right? It's not. Hackers figured out these substitution tricks years ago. Their tools check for them automatically.
correct horse battery staple — A random four-word passphrase like this is actually much harder to crack. It's also much easier to remember.
The math: A 12-character password with mixed case, numbers, and symbols has about 95^12 possible combinations. A 25-character lowercase passphrase has 26^25 — which is astronomically more. Length wins.
The minimum for any important account: 16 characters or more. For your email and banking, go longer.
Never Reuse Passwords. Seriously.
This is the rule people break the most, and it's the most dangerous.
When a company gets breached (and they do, all the time), the attackers get a list of emails and passwords. The first thing they do is try those same credentials on other popular sites — Gmail, Facebook, bank login pages. This is called credential stuffing, and it works because people reuse passwords.
If you use the same password for your email and your business bank account, a breach at some random shopping site could empty your bank account.
Password Managers: The Solution
A password manager generates, stores, and fills in strong, unique passwords for every account. You remember one master password; the password manager handles the rest.
Here are the popular options:
1Password — $3/month for individuals, $7/month for families. Excellent interface, strong security, great business plans.
Bitwarden — Free tier available, $10/year for premium. Open source, so the code has been independently audited. Great if you want the most value.
Built-in browser managers — Chrome, Firefox, Safari, and Edge all have built-in password managers. They're decent for personal use but lack some features of dedicated tools. Better than nothing.
Apple Passwords app — If you're in the Apple ecosystem, this works seamlessly across all your devices.
The best password manager is the one you actually use. Don't overthink it. Pick one, install it, and start using it today.
Two-Factor Authentication (2FA)
A strong password is your first layer of defense. Two-factor authentication is the second.
With 2FA enabled, logging in requires your password plus a second verification — usually a code from an app on your phone or a physical security key. Even if someone steals your password, they can't log in without that second factor.
Turn on 2FA for every account that supports it, starting with:
Your email (this is the master key — it can reset every other password)
Your bank accounts
Your domain registrar
Your hosting provider
Your social media accounts
Most services support 2FA now. It takes two minutes to set up and makes your accounts dramatically harder to breach.
Passkeys: The Future
Passkeys are the new technology that might eventually replace passwords entirely. Instead of a password, your device uses a cryptographic key pair — one stored on your device, one on the service's server.
When you log in, your device proves it has the right key using biometrics (fingerprint or face) or your device PIN. No password is ever sent over the internet, which means there's nothing to steal or phish.
Major services like Google, Apple, Microsoft, and many others already support passkeys. If you see the option to set one up, take it. It's both more secure and more convenient than passwords.
What to Do When a Service Gets Breached
Breaches happen constantly. Here's what to do:
Check haveibeenpwned.com — Enter your email address to see if it's appeared in any known breaches
Change the password for the breached service immediately
Change it everywhere else you used that same password (this is why reuse is so dangerous)
Enable 2FA if you haven't already
Watch for phishing — After a breach, attackers often send follow-up phishing emails pretending to be the breached company
Get in touch if you want help setting up a password manager or securing your business accounts — it's one of the highest-impact security improvements you can make.
Password Hashing, Credential Attacks, and the Future of Authentication
Let's look at what happens to your password behind the scenes and why some authentication methods are better than others.
How Password Hashing Works
When you create an account on a well-built website, your password is never stored as plain text. Instead, it goes through a one-way mathematical function called a hash. The output (the "hash") looks like a random string of characters — and you can't reverse it back to the original password.
When you log in, the site hashes whatever you typed and compares it to the stored hash. If they match, you're in. This way, even if an attacker steals the database, they get hashes, not passwords.
Except... attackers have workarounds. They can precompute hashes for millions of common passwords and compare them to stolen hashes. This is called a rainbow table attack.
Salting: The Defense Against Rainbow Tables
A salt is a random string added to your password before hashing. Your password mypassword becomes a7f2q9mypassword before it's hashed. Even if two users have the same password, their salts are different, so the hashes are different.
This makes rainbow tables useless because the attacker would need a separate table for every possible salt — computationally impractical.
Bcrypt vs. Argon2
Not all hashing algorithms are equal:
MD5 and SHA-1 — Old and fast. "Fast" is actually bad for password hashing because it means an attacker can try billions of guesses per second. Never use these for passwords.
bcrypt — The longtime standard. It's intentionally slow and has a configurable "cost factor" that lets you make it slower as hardware gets faster. Most web applications use bcrypt.
Argon2 — The modern gold standard, winner of the Password Hashing Competition in 2015. It's designed to be resistant to both CPU and GPU-based attacks by requiring significant memory. Newer applications should use Argon2.
Credential Stuffing Attacks
We mentioned credential stuffing earlier, but here's how it actually works at scale:
An attacker buys a database of stolen email/password pairs (these are sold on dark web markets for pennies per record)
They use automated tools that try each credential pair against hundreds of popular services simultaneously
The tools rotate through thousands of IP addresses to avoid getting blocked
Any successful login gives them access to that account — and potentially everything connected to it
The scale is staggering. A single credential stuffing operation might try millions of username/password combinations per day across dozens of services. This is why unique passwords matter so much.
Password Spraying
A related attack: instead of trying many passwords against one account (which triggers lockouts), password spraying tries one common password against many accounts. The attacker tries Password123 against every email address at a company. Then Summer2026!. Then CompanyName1.
Because they only try each account once or twice, they fly under the radar of most lockout policies.
How Have I Been Pwned Works
Have I Been Pwned (HIBP), created by security researcher Troy Hunt, collects data from known breaches and lets you check if your email or password has been exposed. It currently tracks over 13 billion compromised accounts.
The clever part: you can check if your password has been breached without sending your actual password. HIBP uses a technique called k-anonymity — you send the first 5 characters of your password's hash, and HIBP sends back all known hashes that start with those characters. Your device checks for a match locally. Your full password hash never leaves your computer.
FIDO2, WebAuthn, and Why SMS 2FA Is Weak
Not all second factors are equal:
SMS codes — The weakest form. Attackers can intercept texts through SIM swapping (convincing your phone carrier to transfer your number to their SIM card) or SS7 network vulnerabilities. Better than nothing, but not great.
Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator) — Generate time-based codes on your device. Much harder to intercept than SMS. Good baseline for most people.
Hardware security keys (YubiKey, Google Titan) — Physical devices that plug into your computer or tap against your phone. They use the FIDO2/WebAuthn standard and are practically immune to phishing because they verify the actual website, not just a code.
Passkeys — Built on the same FIDO2/WebAuthn standard as hardware keys but stored on your device. They combine the security of hardware keys with the convenience of biometrics.
The hierarchy: hardware keys and passkeys > authenticator apps > SMS > no 2FA.
Want help implementing strong authentication for your business accounts? Let us know — we can set up password managers, 2FA, and passkeys across your team.