You’ve invested in cutting-edge tools, hired the best, and crafted a vision for success. But an invisible threat could undo years of hard work in an instant: your employee’s password habits.
You ask: Who cares about passwords in 2025? Why should I read another boring guide on “best practices for creating strong and secure passwords”? We’re too small for hackers to bother with anyway.”
Think again: 67% of SMBs have experienced a cyber-attack at some point, and businesses with fewer than 100 employees actually experience 350% more social engineering attacks.
Meanwhile, the sheer volume of passwords, along with the growth in connected IoT devices, continues to expand the cyber-attack surface. This means each device at your business is a potential entry point for hackers.
With 60% of SMBs forced to shut down after a significant attack, password habits matter more than ever. Below, we highlight the five (5) costliest password mistakes your employees may be making, how to create a culture of cyber resilience, and how a password manager can protect you.
Cracking the code: Why the humble password can still hurt your business
But first, let’s talk about why you should care about implementing best practices for password security:
- Compromised credentials were behind 80% of top data breaches in 2024.
- A data breach can cost you an average of $2.98 million and up to $3.31 million, even if you have fewer than 500 employees.
So, the humble password CAN wreak havoc on your business—if your employees engage in one or more of these habits.
Mistake #1: Using short, easily guessable passwords
We’re fast losing our patience with passwords: Up to 56% of people will either abandon a purchase or give up trying to access an online service if they forget their passwords.
The fear of being locked out is the #1 reason your employees create easy-to-remember passwords based on:
- Favorite holiday destinations, foods, or hobbies
- Celebrity, political, and sports figures
- Common names - the internet’s top 3 favorite password names are Eva, Alex, and Anna
- Sequential numbers like “123456” or “1234567890”
- Birthdays, anniversaries, and holidays
- Curse words
- Variations of “admin,” “password,” or “qwerty”
- Pop culture references
Easily guessable passwords like the above are a security risk and can be cracked in mere seconds by hackers with automated tools.
Mistake #2: Reusing passwords
Password fatigue is real and the #1 reason more than 70% of people reuse passwords.
According to the National Cybersecurity Alliance Report 2024-2025, a majority of GenZ and Millennials use unique passwords only “half of the time.”
Unfortunately, leaked login info from just ONE account can have a domino effect, giving attackers potential access to multiple corporate accounts with the same credentials. This makes it more challenging for your business to contain and resolve security incidents.
Mistake #3: Sharing passwords through insecure channels
According to the same Cybersecurity Alliance report, many people feel confident in their password management abilities. They use “old-school methods” like:
- Writing them down in a notebook or Post-it note (29%)
- Storing them in their phones (12%) or emails (7%)
- Committing them to memory (21%)
- Saving them in their browsers (11%)
- Using a password manager (12%)
- Resetting every time they log in to their accounts (2%)
When it comes to sharing passwords, they do so by texting, emailing, or trading Post-it notes. This leaves your sensitive business information vulnerable to unauthorized access by threat actors, for whom credential theft has become a top priority.
Mistake #4: Mixing work and personal passwords
It’s estimated that, by the end of 2025, 60-80% of phishing scams will target social media. If your employees access compromised personal accounts on corporate devices, hackers can potentially gain access to your entire network.
In late 2022, hackers obtained an Activision employee’s credentials through a phishing campaign and used them to exfiltrate sensitive employee data and information about yet-to-be-released game content.
Social media use on company devices can also expose your business to malware infections. Over 55% of social media scams involving malware or ransomware specifically target devices, putting all sensitive information on them at risk.
Mistake #5: Relying solely on passwords
Strong passwords are the first line of defense against unauthorized access and account takeovers. However, relying on passwords alone can lead to potential security gaps. According to Microsoft, 99.9% of accounts that are compromised don’t have multi-factor authentication (MFA) enabled.
For SMBs, cost is the #1 barrier to MFA adoption. Other factors include employee resistance and the lack of expertise to choose and deploy the correct tooling.
According to a KnowB4 survey of 2,600 IT professionals, 48% of small and medium-sized organizations think their password policy is “good enough,” while 62% aren’t using MFA at all.
Unlocking a culture of cyber resilience: What effective password management looks like in the age of AI
AI is a double-edged sword.
And in 2025, attackers are leveraging it to both enhance their attacks and exploit its vulnerabilities against us.
Some are injecting malicious prompts in AI models.
Meanwhile, others are using exposed credentials to hijack cloud-based systems in under 19 minutes. The new attack method is called “LLMjacking” and specifically targets non-human identities like API keys and service accounts.
Non-human identities, such as service accounts, are high-value targets. Here’s why: they’re often highly privileged but lack strong MFA controls to protect against compromise.
And that’s not all: attackers are increasingly using CUA (Computer-Using Agents) like OpenAI Operator to bypass traditional security measures like CAPTCHA and anti-bot defenses.
A culture of cyber resilience in the age of AI rests on three top pillars:
- An effective password security policy
- MFA adoption for human and non-human identities
- Employee awareness training
Three easy best practices for creating strong and secure passwords
These three simple password security policies can protect your organization immediately once implemented:
- Require passwords to be at least 16 characters long. All passwords should consist of mixed-case letters, numbers, and symbols, and there should be unique passwords for EACH work account.
- Provide a solution with password management, access control, and SSO capabilities. SSO allows your employees to access all their work tools with just ONE set of credentials. It saves time and reduces interruptions, human error, unintentional disclosure, and cybersecurity risk. Meanwhile, granular access controls allow you to quickly and easily modify or revoke access as roles change, without disrupting daily operations.
- Require all default passwords to be changed on all software and hardware products. According to a 2024 Broadband Genie survey, 86% of respondents have never changed their router admin password, while 72% have never changed their Wi-Fi password, leaving their organizations vulnerable to attacks. In fact, an attack on a Pittsburgh-area water authority succeeded partly because “1111” was the default password to its network.
- Unlimited amount of users
- 100+ customizable access policies
- LastPass Families for employees
- Directory integration
SMS multi-factor authentication (MFA): Why it’s time to leave home without it
Adding another layer of security with MFA won’t save your business if your employees are using SMS MFA.
After foreign threat actors infiltrated U.S. telecommunications infrastructure in late 2024, CISA released guidance warning against using SMS as a second factor for authentication.
Instead, CISA recommends the combined use of a password manager with Dark Web Monitoring capabilities and phishing-resistant FIDO-based authentication to protect your business.
Where feasible, require all work accounts to accept authentication with FIDO security keys such as Yubico or Google Titan.
Awareness is power: The importance of gamified security awareness training
Does anyone ever read employee handbooks?
Implementing a password security policy is critical – but will prove ineffective in the long run if your employees aren’t paying attention.
This is where gamification comes in: Research has shown that gamified learning environments can increase retention rates by as much as 90%. Ultimately, they are far more effective than traditional methods in nurturing a workforce that’s more resistant to cyber attacks.
In a gamified environment, points, levels, and leaderboards can foster an atmosphere of healthy competition, while badges and achievements can provide a sense of accomplishment.
This creates a happier work culture: 66% of employees say gamified learning reduces their stress levels, while 71% say it makes them more energized and productive. With an engaged workforce, every employee becomes part of a powerful human firewall to enhance your organization’s security posture – and what can be better than that?
Supercharge password security with one easy change your employees will love
We’re creatures of habit, and we love our comforts.
Your employees want to feel fulfilled, productive, and motivated at work.
An easy way to accomplish this is to provide a password manager that takes the stress out of securing every access point to your network.
With LastPass:
- Your employees can securely create, store, and share credentials without compromising confidential information.
- Each of your employees gets LastPass Families as a Benefit to protect five (5) of their closest family members and friends.
- Your business gets comprehensive security controls so you can easily approve or revoke access instantly.
- You can implement SSO and passwordless authentication to ensure frictionless logins and MFA to add another layer of security to the authentication process.
Ultimately, you get secure, effortless, and efficient password security, regardless of your team size or technical expertise.
To experience the peace of mind enjoyed by millions of our customers worldwide, start your 14-day free LastPass Business trial today (no credit card or commitment required).
