// Blog / Guide

Passwords and passkeys: a small business guide to going passwordless

Share

Passwords are the weakest part of most small businesses, and the most common way attackers get in. The good news is that fixing them no longer means asking your team to memorize more. It means using a password manager, turning on the right kind of multi-factor authentication, and starting to replace passwords with passkeys.

This guide walks through all three, in the order a small business should tackle them, and clears up a couple of myths that make passwords worse, not better.

Why passwords fail

The problem was never your people. It is that passwords ask humans to do something impossible: invent and remember dozens of long, unique, random secrets, and never reuse them. Nobody can, so they reuse one password across sites, add a "1" when forced to change it, and pick something they can recall. Attackers know this, which is why the two most common ways into a business are both password problems:

  • Reuse and breaches. When any site you used gets breached, those passwords end up on lists that attackers replay against your email, banking, and business apps. One reused password becomes a master key.
  • Phishing. A convincing fake login page harvests the password as you type it. No amount of complexity helps if you hand the password to the attacker yourself.

So the goal is not "stronger passwords." It is fewer passwords a human has to know, and login methods that cannot be reused or phished.

Step 1: Give everyone a password manager

A password manager is an encrypted vault that generates a long, unique, random password for every account and remembers them for you. Your team only needs to know one strong master password (or unlock the vault with their fingerprint or face). It fills logins automatically, which also quietly defeats many phishing sites, because it will not autofill your bank password into a look-alike domain it does not recognize.

For a business, use a business or team plan rather than everyone running personal ones. It lets you share the logins the team genuinely needs to share without emailing passwords around, remove access when someone leaves, and see where weak or reused passwords still exist. Rolling one out to the whole team is the single highest-value password move you can make, and it usually takes an afternoon.

Step 2: Turn on MFA, but know that not all MFA is equal

Multi-factor authentication (MFA) adds a second check beyond the password, so a stolen password alone is not enough. Turn it on everywhere it is offered, starting with email and your most important accounts. But the type matters, and the gap between them is real:

  • Text-message and email codes are the weakest form. Better than nothing, but the codes can be phished or intercepted.
  • Authenticator-app codes and push approvals are a solid step up and fine for most accounts.
  • Phishing-resistant MFA, meaning security keys or passkeys, is the strongest, because it cannot be tricked into approving a login on a fake site.

That last distinction matters because attackers have adapted. As we covered when a phishing kit began bypassing Microsoft 365 MFA, code-based methods can be defeated in real time by a fake login page that relays your code. Phishing-resistant methods close that door. So put app-based MFA everywhere, and use phishing-resistant MFA on the accounts that matter most: your email, your identity provider, and every administrator account.

Step 3: Passkeys, the beginning of the end for passwords

A passkey replaces the password entirely. Instead of a secret you type, your device holds a private key that never leaves it, and you approve a login with the same fingerprint, face, or PIN you already use to unlock your phone or laptop. There is nothing to remember, nothing to type, and nothing for a phishing site to steal.

Passkeys are phishing-resistant by design: the passkey is cryptographically tied to the real website, so it simply will not work on a look-alike domain. They sync across your devices through your Apple, Google, or Microsoft account, or through your password manager, so a lost phone does not lock you out. And you can use them today on the platforms most small businesses already run on, including Microsoft 365, Google Workspace, and a growing list of banks and SaaS apps.

You do not have to go all-in overnight. Passkeys and passwords can coexist while the world catches up, so you can switch your most important accounts first and add others as they gain support.

A realistic rollout for a small business

You do not need to do everything at once. In order of impact:

  • Roll out a password manager to the whole team and use it to hunt down reused and weak passwords.
  • Turn on MFA everywhere, then upgrade your email, identity provider, and admin accounts to phishing-resistant MFA first.
  • Start enabling passkeys on your most important accounts, beginning with the Microsoft or Google identity that everything else hangs off.
  • Retire shared logins. Replace "the whole team knows the password" accounts with proper individual access and sharing through the password manager.

The myth to drop: forced password changes

Many businesses still force everyone to change their password every 60 or 90 days, believing it is good hygiene. Current guidance from the US National Institute of Standards and Technology (NIST), which sets the benchmark most of the industry follows, says the opposite: routine forced changes make passwords weaker, because people respond with predictable tweaks like Summer2025 becoming Summer2026. The modern advice is to use long, unique passwords, screen them against known-breached lists, and only force a change when there is actual evidence a password has been compromised. Drop the calendar-based reset, and put that effort into a password manager and MFA instead.

// Free 2-minute quiz

How strong are your defenses?

Fourteen quick questions to gauge where your overall security posture stands today, from passwords and identity to backups and response.

Take the quiz

Sources:NIST, Special Publication 800-63B Digital Identity GuidelinesFIDO Alliance, Passkeys

Want identity and passwords sorted properly across your whole team?

Talk to us

Related