Passwords Aren't Enough Anymore: A Practical Guide to Password Managers and Passkeys
Declan Mahjoub 
How to stop relying on memorized passwords (and sticky notes) and move to something that actually holds up.
Take a quick mental inventory of how passwords actually work at your business. How many people on your team write them down on sticky notes? How many save them in browser autofill with no master password? How many quietly use the same password across half their work apps?
If you're like most small businesses, the honest answer is "too many." That's not a moral failure. The system is broken by design. Humans can't remember 80 unique long passwords. We never could. The fix is to stop trying.
The old password rules are broken
For decades the advice was: long, complex, change them every 90 days. The result was predictable. Spring2024!. Summer2024!. Fall2024!. People reused passwords across accounts, and entire companies got locked out of their own tools every quarter.
Modern guidance, including from NIST (the U.S. standards body), has flipped. Prioritize unique passwords for every account. Length over special characters. Stop forced rotations unless there's a specific reason to rotate. Which all sounds great until you realize no human can manage that without help. That's where the password manager comes in.
What a password manager actually does
A password manager is a secure, encrypted vault that stores all your passwords behind one master password (and ideally MFA on the vault itself). It auto-fills logins on real websites, generates random strong passwords for new accounts, and syncs across all your devices.
Two practical wins matter most. First, every account gets a unique, random password without anyone having to remember it. That single change kills credential-stuffing attacks against your team. Second, your team stops typing passwords into fake phishing pages, because most password managers won't auto-fill on a domain that doesn't match the saved entry. The manager itself becomes a phishing detector.
Picking one for your business
There are several solid options for small businesses. The names you'll see most often: 1Password Business, Bitwarden Teams, Dashlane Business, Keeper Business, NordPass Business. Pricing usually lands in the $3 to $8 per user per month range. That's coffee money compared to the cost of a single password-related breach.
Things to look for: a real admin console (so you can offboard staff cleanly), secure sharing of credentials between team members, audit reporting that flags weak or reused passwords, MFA support on the master account, and SCIM/SSO integration for when you grow.
Things to avoid: relying solely on browser-stored passwords without a master password, which is a common shortcut that leaves you exposed. And avoid the "shared spreadsheet of passwords" pattern. We still see this one. Please stop.
Rolling it out without losing the team
Password manager adoption fails when leadership pushes it top-down with no training. Here's what actually works for SMB rollouts.
Pick the tool and set up the admin console first. Onboard the leadership team and let them use it for a week. They'll surface every annoying issue before the rest of the team has to deal with it. Then run a 30-minute team session walking through the basics: install the browser extension, import existing passwords, generate new ones, share credentials when needed. Set a 30-day goal: every account that anyone uses for work is in the manager. Run a one-time "weak or reused password" audit at the 60-day mark and rotate the worst offenders.
After 90 days, the team will tell you they don't want to go back. The friction in week one is real but very short.
Passkeys: where this is all going
Passkeys are the next step. Instead of typing a password, your device proves who you are with a cryptographic key tied to your fingerprint, face, or PIN. There's nothing to type. Nothing to steal in a database breach. Nothing for a phishing site to capture. Even a perfect fake login page can't trick a passkey.
Apple, Google, Microsoft, and most modern password managers all support passkeys today. Microsoft 365, Google Workspace, GitHub, AWS, and a fast-growing list of business platforms let you sign in with passkeys instead of (or alongside) passwords. My advice to clients: don't wait for some giant migration project. Whenever you set up a new account or rotate an old one, opt for the passkey if it's available. Within a year or two of doing that, your highest-risk accounts will be passwordless without anyone planning a project around it.
What about the personal vs work line?
A common question we get: should employees use the company password manager for personal accounts too? Most modern business plans (1Password, Bitwarden, Keeper) include a free linked family or personal vault for each employee, kept entirely separate from the company vault. Use it. The reason is practical. If your bookkeeper's personal Amazon password is reused on her work email, your business is at risk too. Bringing personal accounts into the same protected ecosystem helps both sides.
The other version of this question: what about the family-owned-business owner who uses the same email for work and personal? Same answer with extra urgency. Get the manager set up, separate work credentials from personal ones, and start treating them differently. That mental separation is itself a useful security control.
The short version
Stop trying to remember passwords. Stop trying to come up with clever ones. Get a password manager. Turn on MFA on the manager. Adopt passkeys account by account as you go. That short list eliminates the most common cause of small business compromise and quietly makes life easier for your team.
If you read all that and thought "okay, but where do I actually start?" reach out. We do quick, no-pressure reviews for small businesses every week. Tell us where you are, we'll tell you the two or three things worth doing first, and you can take it from there. Visit siemekconsulting.com or drop us a note. We answer our own emails.
Categories: : Cybersecurity