Count the online accounts you log into in a typical week. Banking. Email. Maybe a couple of social accounts. The Office 365 login. The MYOB / Xero. The Google account. The website hosting dashboard. The supplier portals. The "ATO online services" thing.
Now think about how you remember all those passwords. Three options come up almost every time we ask a small-business client:
- A handful of strong-ish passwords reused across most accounts.
- One or two passwords written on a Post-it or in a notebook under the keyboard.
- "I forgot it last time so I keep resetting it."
If any of those sound familiar, you're in good company. Industry surveys put the share of people who reuse passwords across important accounts well above one in three. Roughly half struggle to remember the ones they do use. And about one in five say they've already had an email or social account compromised at some point.
The fix is genuinely easy. It's called a password manager.
What a password manager actually is
A password manager is an app that remembers passwords on your behalf. You log into the manager itself with a single strong master password, and it stores everything else: usernames, passwords, credit card numbers, secure notes, two-factor codes.
When you visit a site that needs a login, the manager fills in the username and password for you. When you sign up for a new account, the manager generates a fresh, random password and saves it. You never have to remember (or type) the actual passwords again.
There's only one password you need to actually memorise: the master password to the manager itself. Make that one long, make it memorable, and don't reuse it anywhere.
Why this matters more than it used to
A single password being leaked used to be a personal inconvenience. Now it's a chain reaction:
- An attacker buys a leaked username/password from an old breach.
- They try the same combination on your email. If your email password is the same one that leaked, they're in.
- From inside your email, they reset the password on every other account you have: banking, MYOB, hosting, social, whatever.
This pattern is the entire reason "you should have a different password on every account" exists as advice. Password managers make that advice possible to follow.
What to look for in a password manager
A few criteria that matter for a small business:
- Cross-device support. You should be able to access your passwords from your desktop, your laptop and your phone. Most managers handle this.
- Browser autofill. A browser extension that fills logins for you turns the experience from "annoying" into "invisible".
- Strong master-password rules. The manager should require a real master password, not a four-digit PIN.
- Encrypted on your device. Your password database should be encrypted before it leaves your machine. The manager's company shouldn't be able to read your data even if their own servers are breached.
- A way to share, if you need to. Small businesses often need to share an account with a bookkeeper or a virtual assistant. A good manager supports shared "vaults" so you don't have to email passwords around.
The shortlist
We don't endorse a specific product, partly because the market shifts, partly because the right choice depends on whether you want everything offline or you don't mind a cloud sync. The widely-used names worth considering include 1Password, Bitwarden, KeePassXC (offline, free) and the password manager built into your browser if it's well-secured with a master password.
If you're starting from zero, pick one with a good free tier, install it on your laptop and your phone, set a strong master password, and start adding logins as you visit each site over the next month. Within a few weeks you'll have moved most of your account list across.
One more habit
While you're at it, turn on two-factor authentication on your email account. That's the single highest-leverage security step a small business can take. Most password managers can store the two-factor codes too, so the friction is small.
After that you can mostly stop worrying about passwords. Which is the whole point.