Security
Password Security Checklist
Stop reusing passwords. Build a password hygiene system your whole team can actually follow.
🔑 All platforms⏱ 1–2 hours setup👤 Owner / IT Admin
Password reuse is the single most common way small business accounts get compromised. One breach on a random website exposes every account where your employee used the same password. This checklist gives you a practical system to fix that — without making people miserable.
1. Assess Where You Stand
-
Audit which accounts each employee has and where they might be reusing passwordsAsk the team — you'll be surprised how many use the same password for everything.
-
Check haveibeenpwned.com for your business domain email addressesIf results come back, those passwords need to change today, not next week.
2. Pick a Password Manager
A password manager is the only realistic way to have unique, strong passwords for every account. For Microsoft 365 shops, Bitwarden and 1Password both integrate cleanly with Entra ID.
-
Choose a business-grade password manager: Bitwarden Teams, 1Password Business, or KeeperAvoid free personal-tier tools for business use — you need shared vaults and audit logs.
-
Deploy the browser extension to all employee browsersIf installing it is friction, employees won't use it. Make it the default.
-
Require all employees to import or create their first saved passwordsGive them 48 hours and follow up — adoption is the hard part.
💡 MTDS tipIf you're on Microsoft 365 Business Premium, Microsoft Entra ID supports SSO (single sign-on) — employees log in to one place and the identity layer handles the rest. Ask MTDS about setting this up.
3. Strengthen Active Passwords
-
Change all shared/service account passwords to unique, 20+ character stringsWi-Fi passwords, email service accounts, accounting software — all of it.
-
Enable Multi-Factor Authentication (MFA) on every account that supports itStart with email, banking, and your Microsoft 365 admin accounts. No exceptions.
-
Remove saved passwords from browsers — use the manager insteadBrowser-saved passwords bypass the manager and don't sync policies.
4. Set a Policy
-
Write a one-page password policy: unique passwords, no sharing, MFA requiredIt doesn't have to be a 20-page document. One clear page that employees actually read.
-
Set a calendar reminder to rotate service account passwords every 12 monthsNIST no longer recommends frequent rotation — but annual rotation on shared accounts is still smart.
⚠️ Heads upAvoid the 90-day forced reset trap. NIST's current guidance says frequent rotation leads to weaker passwords (people just increment a number). Enforce MFA instead.
Need help deploying MFA and a password manager across your team?
MTDS can configure Entra ID Conditional Access and walk your team through onboarding to a password manager in a single session.
Talk to MTDS