Passwords remain the primary authentication mechanism for the vast majority of business systems and services. Despite years of predictions about the "death of the password," the reality for most UK businesses in 2026 is that employees manage dozens — sometimes hundreds — of passwords across email, cloud applications, line-of-business systems, customer portals, and internal tools. How those passwords are created, stored, shared, and managed has a direct and significant impact on your business's security posture.
The NCSC's own research has consistently shown that poor password practices are one of the most exploited weaknesses in UK organisations. Weak passwords, reused passwords, passwords written on sticky notes, and passwords shared in plain text over email or messaging platforms are daily realities in businesses of all sizes. Each of these practices creates opportunities for attackers — and each is preventable with the right tools and policies.
This guide covers everything a UK business needs to know about password management: the current best practices from the NCSC and other authorities, how to choose and deploy a business password manager, how to create a password policy that actually works, and how to move toward a future where passwords are supplemented — and eventually replaced — by stronger authentication methods.
Why Password Management Matters
The scale of the password problem is staggering. The average business employee uses 80 to 100 different passwords across work and personal accounts. No human can remember that many unique, strong passwords, so they take shortcuts — reusing passwords, using simple variations, writing them down, or storing them in unsecured documents and spreadsheets.
These shortcuts are precisely what attackers exploit. Credential stuffing attacks — where criminals take username and password combinations leaked from one breach and try them against other services — are the single most common form of account compromise. If an employee uses the same password for their company email as they used for a shopping site that was breached, your corporate systems are compromised.
The financial impact of password-related breaches is significant. According to the IBM Cost of a Data Breach Report, compromised credentials are the most common initial attack vector, and breaches caused by stolen credentials take the longest to identify and contain — an average of 292 days. For UK businesses, the ICO can impose fines of up to £17.5 million or 4 per cent of annual turnover for GDPR breaches resulting from inadequate security measures, which includes poor password management.
The NCSC's current password guidance represents a significant shift from traditional approaches. They now advise against forcing regular password changes (which encourages weak, predictable passwords), against complexity requirements like mandatory special characters (which frustrate users without meaningfully improving security), and against security questions (which are easily guessable). Instead, they recommend long passphrases, password managers, multi-factor authentication, and checking passwords against known breach databases. If your password policy still requires quarterly changes and a mix of upper case, lower case, numbers, and special characters, it is outdated and potentially counterproductive.
Modern Password Best Practices
Length Over Complexity
The NCSC recommends prioritising password length over complexity. A 20-character password composed of three or four random words is both stronger and easier to remember than an 8-character password with forced complexity. For example, "correct-horse-battery-staple" (a famous example from the xkcd comic) is vastly stronger than "P@ssw0rd!" despite being easier to type and remember.
For accounts protected only by a password (no MFA), require a minimum of 12 characters — ideally 14 or more. For accounts protected by MFA, a minimum of 8 characters is acceptable because the second factor provides an additional layer of security. For admin and privileged accounts, require a minimum of 16 characters and mandate the use of a password manager to generate truly random passwords.
Use a Business Password Manager
A password manager is the single most impactful tool you can deploy to improve password security across your business. It allows every employee to use a unique, randomly generated, strong password for every single account — without having to remember any of them. The password manager stores all credentials in an encrypted vault, accessible only with a single master password (or biometric authentication).
Business password managers go further than personal products by offering centralised administration and user management, secure password sharing between team members, role-based access control for shared credentials, audit logging of who accessed which passwords and when, integration with single sign-on (SSO) and directory services, and dark web monitoring for compromised company credentials.
| Password Manager | Monthly Cost per User | Key Strengths | Considerations |
|---|---|---|---|
| 1Password Business | £6.00 | Excellent UI, strong sharing, Watchtower breach alerts | Higher cost than alternatives |
| Bitwarden Teams | £3.25 | Open source, self-hosting option, very affordable | UI less polished than commercial options |
| Dashlane Business | £5.00 | Built-in VPN, dark web monitoring, SSO integration | Limited offline access |
| Keeper Business | £3.75 | Strong compliance features, secure file storage | Add-ons can increase cost |
| LastPass Business | £5.50 | Widely adopted, good SSO integration | Past security incidents have affected trust |
Enforce Multi-Factor Authentication
Even the best password can be compromised — through phishing, keylogging, or breach of a third-party service. Multi-factor authentication (MFA) provides a critical second line of defence by requiring something in addition to the password: typically a code from an authenticator app, a hardware security key, or a biometric factor.
MFA should be mandatory for all cloud services (Microsoft 365, Google Workspace, Salesforce, etc.), all remote access (VPN, RDP, remote desktop), all admin and privileged accounts, and your password manager itself. The NCSC, ICO, and Cyber Essentials scheme all strongly recommend or require MFA. There is no legitimate reason to leave MFA disabled on any business system that supports it.
Check Passwords Against Breach Databases
Implementing a check against known compromised passwords is one of the most effective and least disruptive security improvements you can make. Microsoft Entra ID (used by Microsoft 365) includes a feature called Password Protection that automatically blocks users from setting passwords that appear in known breach lists. This prevents employees from choosing passwords that are already in the hands of criminals, even if those passwords would otherwise meet your complexity requirements.
For websites and applications you develop, the Have I Been Pwned API provides a free service that allows you to check passwords against a database of over 800 million compromised passwords without ever transmitting the password itself (using a k-anonymity model).
Creating a Password Policy That Works
A password policy is only effective if people actually follow it. Policies that are excessively strict, confusing, or impractical drive people to workarounds that undermine security. A good modern password policy should be concise, clearly communicated, and designed to work with human behaviour rather than against it.
Modern Password Policy (NCSC-Aligned)
- Minimum 12 characters for standard accounts
- Minimum 16 characters for admin/privileged accounts
- No mandatory complexity rules (no forced special characters)
- No mandatory regular password changes
- Password manager required for all employees
- MFA mandatory on all cloud and remote access
- Passwords checked against breach databases
- Change passwords only when compromise is suspected
Outdated Password Policy (Still Common)
- Minimum 8 characters — too short for modern attacks
- Must include upper, lower, number, and special character
- Mandatory 90-day password rotation
- No password manager — users expected to memorise all passwords
- MFA optional or only for admins
- No breach database checking
- Encourages predictable patterns like "Summer2026!"
- Frustrates users into writing passwords on sticky notes
Deploying a Password Manager: Practical Steps
Rolling out a business password manager requires planning and change management, not just technology. Here is a practical approach that works for UK SMEs.
Phase 1 — Pilot (2 weeks): Deploy the password manager to a small group of tech-savvy volunteers. Gather feedback, identify any integration issues, and refine your deployment guide.
Phase 2 — Department Rollout (4-6 weeks): Roll out department by department, providing hands-on training sessions for each group. Focus on the practical benefits — no more forgotten passwords, no more typing passwords repeatedly, secure sharing of team credentials.
Phase 3 — Organisation-Wide (2-4 weeks): Complete the rollout to all remaining users. At this stage, update your password policy to require the use of the password manager for all work accounts.
Phase 4 — Enforcement (ongoing): Monitor adoption through the password manager's admin console. Identify users who are not using it and provide additional support. Consider using the password health scoring features (available in most business password managers) to identify users with weak, reused, or compromised passwords and prompt them to update.
The Future: Passwordless Authentication
While passwords will remain part of the authentication landscape for the foreseeable future, passwordless authentication is gaining traction. Technologies like FIDO2 security keys, Windows Hello for Business, and passkeys (supported by Apple, Google, and Microsoft) allow users to authenticate using biometrics or physical security keys instead of passwords.
Microsoft 365 Business Premium already supports passwordless authentication through Windows Hello and FIDO2 keys. For businesses looking to eliminate passwords over time, adopting these technologies for new deployments while maintaining password manager coverage for systems that still require passwords is a pragmatic approach.
For most UK SMEs, the immediate priority is not passwordless — it is getting the basics right. Deploy a password manager, enforce MFA everywhere, align your password policy with NCSC guidance, and educate your staff. These steps alone will dramatically reduce your exposure to password-related attacks.
The Cyber Essentials scheme requires that you control access to your data and services through user accounts with appropriate password policies. Specifically, you must protect against brute force attacks (through account lockout or throttling), use MFA where available, and have a process for changing passwords when compromise is suspected. A business password manager, combined with MFA and the NCSC-aligned password policy described in this guide, will satisfy all Cyber Essentials password requirements.
Ready to Improve Your Password Security?
Cloudswitched helps UK businesses implement password managers, deploy MFA, and build security policies that actually work. From selecting the right tools to training your team, we make the transition to strong password management straightforward and painless.
GET IN TOUCH
CloudSwitched
Centrally located in London, Shoreditch, we offer a range of IT services and solutions to small/medium sized companies.