The Risks of Bad Password Practices

Let’s be honest — most people don’t give passwords the attention they deserve. They’re just one of those things we deal with to get to the real work. You pick something that’s easy to remember, maybe reuse it in a couple of places, jot it down somewhere “safe,” and move on.

And for a while… nothing bad happens. Which sort of reinforces the habit.

But here’s the thing. It’s fine until it’s not. And when it’s not, it’s often a complete mess — lost data, unauthorised access, service downtime, reputational damage. These aren’t IT problems. They’re business problems. Which means they’re your problem, too.

If you’re a business owner or managing a team, especially in an office setting, now is a really good time to take a closer look at how your team handles passwords.

Same Password, Everywhere

This one’s so common that it almost feels normal. People use the same password for everything — email, cloud storage, their login to that marketing tool they tried once.

It’s convenient, sure. But if a hacker gets access to just one of those accounts, they’ll try that same password across hundreds of others. It’s called credential stuffing. And it works far too often.

Take a small law firm I know of, one of their staff reused a password that had been exposed in a completely unrelated breach (a fitness app, of all things). The attackers then got into their Office 365 account. The fallout? Weeks of recovery, a full audit, and a very uncomfortable conversation with one of their major clients.

Passwords in Word Docs, Excel Sheets… or on Paper

We’ve all seen it — “Passwords.xlsx” sitting on the desktop. Or a Post-it on the monitor with someone’s email and login details scribbled in pen. It’s not that people are lazy. They’re just trying to keep things accessible. Especially in fast-paced environments.

But accessible to you often means accessible to others — sometimes people who shouldn’t be anywhere near that information.

I recently read about a marketing agency had a Google Sheet with all their client portal logins. A contractor downloaded it before leaving. Weeks later, logins started being used from unfamiliar IP addresses. Nothing major happened, thankfully. But it could have. That moment of “oh, we probably shouldn’t have done that” came a little too late.

Shared Logins Mean No Accountability

We totally get why shared logins happen. Maybe everyone uses the same email for a support inbox or social media. It keeps things simple.

But it also means you can’t trace anything. Who replied to that message? Who changed the password? Who opened that email with the sketchy attachment?

In one case we handled, a customer service team had a shared inbox. After a phishing email came through, data was leaked — but no one could say for certain who opened it. There was no trail. Just a shrug and some suspicion.

Plus, from a GDPR and audit perspective, shared logins are a nightmare. If personal data’s involved, it’s really hard to demonstrate compliance when you can’t tie actions to individuals.

Weak Passwords Are Still Everywhere

You’d think we’d all moved past “Password123”… but nope. Add a capital letter or a number at the end, and many people still feel like it’s strong enough.

The reality is, weak passwords are like leaving the key under the doormat. It might feel secure because no one’s tried the door yet — but all it takes is one try.

We saw an accountancy firm’s admin panel accessed via a brute-force attack in under two minutes. The password? Business2023.

And yes, technically it met the complexity requirements. But it’s not just about symbols and numbers — it’s about unpredictability.

No Password Manager, No MFA

This is where many small businesses fall short — not out of negligence, but because no one’s really explained why these things matter.

A password manager stores all your logins securely and helps generate strong, unique passwords. It’s like a vault. One master key, and you can forget the rest.

Multi-Factor Authentication (MFA) is the extra layer. Even if someone gets your password, they can’t get in without the code sent to your phone or authentication app.

We worked with a consultancy where one of their team’s login details were compromised — but thanks to MFA, the attacker never got in. No drama, just a blocked attempt and a quick reset.

Without these tools in place, you’re putting your trust in memory, browser autofill, or worse — sticky notes!

No Password Policy

One of the most overlooked security gaps in small and medium-sized businesses is simply not having a formal password policy at all.

Without clear rules and expectations, everyone does their own thing — and that usually means taking the path of least resistance.

A good password policy doesn’t need to be complex or difficult to follow. It should outline basic best practices like minimum password length, complexity requirements, regular updates, and a ban on password reuse.

It should also encourage the use of a password manager and require MFA wherever possible. Having a written, enforced policy turns cybersecurity from a vague concept into a concrete part of your operations — and it gives you something to reference during onboarding or access reviews.

So, What Should You Do?

First off, don’t panic. You’re not alone. These issues are incredibly common. But they are fixable.

Start by having a conversation with your team. Ask where they store their passwords. Ask if they use the same login across multiple platforms. The answers might surprise you.

Then, get help. You don’t have to figure it all out yourself. At Carden IT Services, we help businesses like yours implement secure password managers, enable MFA across systems, and train staff in what good password hygiene looks like — in a way that doesn’t slow anyone down.

Because really, your passwords are like keys to your business. You wouldn’t leave your office door wide open at night… so why risk it online?

Start securing your business today – speak to our team for a cybersecurity audit.

Author: Jeremy Huson

Jeremy Huson is the founder and director of Carden IT Services LLC. He has nearly two decades of experience managing businesses’ IT networks and his areas of expertise are IT consultation and cybersecurity.