Every year, the list of most common passwords makes its way around the internet, and every year, it’s just as concerning. People are still using “123456” and “password” like it’s 1999. Meanwhile, cybercriminals don’t need cutting-edge hacking tools when people hand them the keys. 

Research shows that 40% of passwords used by corporate employees are identical to those used by everyday internet users. In other words, the same week, overused passwords that people rely on for social media and shopping accounts are also protecting company data. That’s like locking the front door but leaving the windows wide open.

MSPs can only do so much to help protect businesses from cyberattacks. Employees play a major role in cybersecurity, and password security is often overlooked. 

This is why National Password Day (May 2nd) exists—to remind everyone that strong passwords aren’t optional. One weak password can open the door to data breaches, financial losses, and plenty of headaches. 

So, in honor of National Password Day, let’s talk about what makes a strong password, why password managers should be a standard business tool, and how companies can tighten security across the board.

The Password Security Checklist: Is Yours Strong Enough?

Most people assume their passwords are “good enough.” They aren’t. A secure password needs to be long, unpredictable, and unique. Here’s what that actually means:

• Length matters. A password should be at least 12–16 characters. Shorter passwords are easier to crack.

• Complexity counts. A mix of uppercase, lowercase, numbers, and symbols makes guessing harder.

• Predictability is a problem. Birthdays, pet names, and favorite sports teams are bad choices. If it’s easy to remember, it’s probably easy to guess.

• Recycling is risky. If the same password is used across multiple accounts, one leak puts everything at risk.

• Passphrases beat single words. A random string of words— “desk-lamp-marathon-cookie” —creates a long, strong password that’s easier to recall than a jumble of characters.

For businesses, these rules need to be more than guidelines. They should be enforced company-wide. Employees won’t take security seriously if the company doesn’t, either.

Change Passwords Regularly 

Another important aspect of password security is regularly changing passwords. This helps to prevent unauthorized access to accounts and systems, as well as mitigating the risk of compromised credentials.

It is recommended to change passwords every 3-6 months or whenever there is suspicion of a breach. This includes both work-related accounts AND personal accounts such as email, company devices, and online tools used for work.

Be Careful with Security Questions

Security questions are often used as an additional layer of security for password recovery. However, these questions can be easily guessed or found through social media and other online sources.

To increase the security of your accounts, choose unique and difficult answers to security questions. Avoid using common information such as your mother’s maiden name or your pet’s name. If your friends could easily guess the answer, it is not secure enough.

Avoid Sharing Passwords

Sharing passwords with others, even close family or friends, is never a good idea. Not only does this compromise the security of your account, but it also puts trust in someone else to keep your information safe. If that person's device or account is hacked, your password could potentially be exposed as well.

The Case for Password Managers

People are bad at passwords. They make them too simple, reuse them across sites, or forget them altogether. That’s why password managers exist—to eliminate the guesswork.

A password manager generates, stores, and auto-fills complex passwords so users don’t have to remember anything beyond a single master password. For businesses, this means employees aren’t using sticky notes, spreadsheets, or whatever their go-to easy-to-remember phrase is.

But convenience isn’t the only selling point. Password managers also:

• Stop password reuse. Employees no longer need to recycle the same login across multiple sites.

• Secure passwords with encryption. Even if a hacker gets into the system, the passwords remain protected.

• Work across devices. Whether an employee logs in from a laptop, phone, or tablet, passwords stay accessible but secure.

• Provide admin control. Businesses can set password policies, revoke access when employees leave, and monitor security risks.

The biggest reason people resist using a password manager is that they think it’s complicated. But resetting a dozen hacked accounts after a breach is a lot more complicated.

No One Can Afford to Ignore Password Security

Hackers don’t need sophisticated tactics when weak passwords do the work for them. And businesses that assume they’re too small to be targeted are playing a dangerous game. A single compromised password can lead to data breaches, financial loss, and reputational damage.

National Password Day is a reminder that strong security isn’t just about individual habits — it’s about company-wide policies that prevent problems before they happen. Businesses that take passwords seriously don’t just avoid breaches; they build a culture where security is part of the foundation.