Strong Passwords and MFA: Why Every Small Business Should Care

Strong Passwords and MFA: Why Every Small Business Should Care

Cyber-crime isn’t just a big-business problem

Criminals don’t only target household names. In fact, small and medium-sized businesses are often easier targets because they have fewer resources devoted to security. One weak password on a shared account can open the door to email fraud, data theft or even ransomware.

Why passwords matter

A password is usually the first and sometimes the only thing standing between an attacker and your data. Yet analysis of real-world data breaches shows that people still rely on easy-to-guess favourites such as 123456, password, or qwerty. These are cracked in seconds.

Attackers don’t “guess” passwords by hand. They use:

  • Leaked password lists from previous breaches (called credential stuffing). If you reuse a password that’s been exposed elsewhere, it can be exploited immediately.
  • Automated cracking tools that can test billions of guesses per second if they manage to steal a database of hashed passwords.
  • Targeted guessing, using details such as birthdays or pet names found on social media.

The UK’s National Cyber Security Centre (NCSC) recommends: three random words

Instead of complicated rules like “must have a symbol and a number”, NCSC suggests using three random words joined together, for example:

"octopus boxcar hat"

This kind of passphrase is:

  • Long – length matters more than fancy characters.
  • Memorable – easier for staff to recall than a jumble of letters and digits.
  • Hard to predict – especially if the words are unrelated.

Encourage staff to create a different three-word passphrase for every important account. A password manager can help them store these securely.

Add a second lock: Multi-Factor Authentication (MFA)

Even a strong password can be stolen. MFA sometimes called two-factor authentication adds a second proof of identity, such as:

  • a one-time code from an authenticator app or text message
  • a hardware security key
  • biometric confirmation (like a fingerprint on a mobile device)

With MFA turned on, stealing a password alone is not enough to break in.

Practical steps for SMBs

  1. Identify your key accounts – email, cloud storage, finance, customer systems – and enforce unique passwords and MFA wherever the service supports it.
  2. Provide a password manager so staff can store and share work credentials safely without writing them down.
  3. Block weak or breached passwords using tools such as Have I Been Pwned or similar checks when creating new accounts.
  4. Don’t force regular password changes unless you suspect a compromise. Focus instead on monitoring and MFA.
  5. Train your team: a short session or an internal guide explaining how to create three-word passphrases and why MFA is critical.

 

Image by Hive Systems

The bottom line

Strong, unique passwords combined with MFA are among the simplest and most cost-effective defences you can put in place. For a small business, taking these steps now can prevent costly incidents later and give your customers confidence that their data is in safe hands.

Resources:
UK National Cyber Security Centre – “Password guidance: simplify your approach” and “Three random words” campaign.
Have I Been Pwned – password breach checking service.

If you would like any help or advice you can contact us

Password Management

Provided by Cyber Padlocking.

Back to blog

Leave a comment