🏢 Small Business Password Policy: Protect Your Team from Credential Theft

Why Your Small Business Needs a Written Password Policy

Small businesses are the primary target for credential-based attacks. The NCSC's 2025 Cyber Security Breaches Survey found that 59% of UK small businesses experienced a breach or cyber attack in the previous 12 months — and compromised passwords were the most common cause.

Without a written password policy, you rely on each employee's individual judgment about what constitutes a secure password. Some use their dog's name. Others reuse their personal Gmail password. A few share credentials via Slack or WhatsApp "just to get the job done faster." Each of these decisions is a security gap in your business.

A written password policy does three things that ad-hoc security cannot: it sets a consistent security baseline across your entire team, it gives employees clear rules rather than vague expectations, and it establishes accountability — everyone knows what is expected and what is prohibited.

For UK businesses pursuing Cyber Essentials certification, a documented password policy is a requirement, not optional. Even without certification, the same standards apply: your policy should protect your business, your customers' data, and your team's accounts.

The Five Essentials of a Small Business Password Policy

An effective password policy for a small business covers five areas. These are the minimum requirements for any organisation with more than one employee.

1. Minimum Length and Strength Requirements

Set a minimum password length of 12 characters for all business accounts. Avoid arbitrary complexity rules (must contain one uppercase, one number, one symbol) — research consistently shows that length is more important than character variety. A 16-character lowercase passphrase is stronger than an 8-character mixed-case password and easier for employees to remember.

Use the Trusty Password Credential Guard to generate 16+ character passwords with full entropy. Generated passwords are inherently stronger than human-chosen passwords because they draw from the full character space without predictable patterns.

2. Prohibit Password Reuse

Every business account must have a unique password. Reusing a password across business and personal accounts means a breach of an employee's personal account on a low-security forum can lead directly to a compromise of your business systems.

Enforce uniqueness through a password manager. Employees cannot reasonably remember 20+ unique complex passwords. Require the use of a password manager as part of your policy, and provide a business-grade password manager as a standard tool. For teams, tools like 1Password Business start at £6.50 per user per month and include shared vaults, breach monitoring, and admin enforcement.

3. Multi-Factor Authentication Requirement

MFA must be required on all accounts that support it — which includes email, payroll, accounting software, CRM, cloud storage, and business banking. Password alone is no longer sufficient for any business system.

Prioritise phishing-resistant MFA (FIDO2 security keys or passkeys) for your most critical systems. For the rest, TOTP authenticator apps are acceptable — but SMS-based MFA should be avoided wherever possible. See our guide on which MFA methods resist phishing for a detailed comparison.

4. Prohibit Credential Sharing

Employees must not share passwords via email, messaging apps, sticky notes, or verbal handover. Instead, use the shared vault feature in your password manager, which allows authorised team members to access shared credentials without ever seeing the underlying password.

When an employee leaves or changes roles, rotate all credentials in shared vaults immediately. The password manager logs who accessed what — giving you an audit trail that shared passwords lack.

5. Session and Device Security

Require automatic screen locking after 5 minutes of inactivity. Prohibit saving passwords in browsers without the master password protection of a password manager. Require employees to report lost or stolen devices within 1 hour so credentials can be rotated and sessions revoked.

NIST and NCSC-Aligned Password Rules

Your password policy should align with current authoritative standards. The 2025 update to NIST SP 800-63B and the NCSC Cyber Aware guidance have shifted away from traditional complexity-and-expiry approaches. Here is what the standards actually say:

Account Lifecycle Management

Credential security starts when an employee joins and ends when they leave. Your policy must cover both transitions.

Onboarding: When a new employee joins, generate their initial credentials using a CSPRNG password generator. Deliver the password through your password manager's secure sharing feature — never via email or Slack. Walk through MFA setup on day one. Add their accounts to the relevant password manager shared vaults.

Role changes: When an employee changes role, review their access. Remove credentials for systems they no longer need. Update shared vault permissions.

Offboarding: When an employee departs, immediately rotate all credentials they had access to — not just their own login, but every shared credential they could see in the password manager. Revoke all active sessions and app-specific passwords. Remove MFA devices. Run an offboarding checklist within 1 hour of their departure.

Employee Training and Social Engineering Defence

A password policy is only effective if employees understand and follow it. Training is not a one-time event — it requires ongoing reinforcement.

Phishing awareness: Credential theft almost always starts with a phishing email. Your policy should require employees to report suspicious messages to your IT contact (or the NCSC's Suspicious Email Reporting Service at [email protected]) rather than clicking links. Train employees to recognise the red flags covered in our guide on how to spot a phishing email.

Social engineering awareness: Train employees that no legitimate IT team, vendor, or manager will ever ask them to share a password or MFA code. Make this an explicit rule in your policy.

Incident reporting: Create a no-blame culture for reporting credential compromise. Employees should feel safe reporting that they entered credentials on a suspicious page. A delayed report costs far more than a prompt one. Our phishing attack response guide provides the step-by-step protocol to follow.

Enforcing Your Policy with Free and Low-Cost Tools

You do not need an enterprise IT budget to enforce a strong password policy. Many essential controls are built into the tools you already use:

• Microsoft 365 Business: Built-in password policy controls enforce minimum length and block common passwords via Azure AD Password Protection (free with any M365 licence). Conditional Access policies require MFA for all users at no extra cost.
• Google Workspace: Password length enforcement, account recovery verification, and mandatory MFA policies are available in the Admin Console. Google's Advanced Protection Programme adds security key enforcement for high-value accounts.
• Password managers: Team and Business plans from 1Password, Bitwarden, and Keeper include enforced security policies that prevent weak passwords from being saved — even if an employee tries to set one.
• Have I Been Pwned: Free API that checks whether a password appears in known data breaches. Integrate this into your onboarding and periodic review to ensure no active credentials are compromised.
• VPN for remote workers: If your team works from coffee shops or co-working spaces, require a VPN on untrusted networks. Services like NordVPN Teams start at around £6 per user per month and provide an encrypted tunnel that prevents credential interception on public Wi-Fi.

The most important investment is a business password manager. Without it, password policy enforcement is impossible — employees cannot be expected to remember 20+ unique 12-character passwords.

What to Do When a Credential Is Compromised

Even with the best policy, credentials will eventually be compromised. Your policy must include a clear incident response procedure:

1. Immediately rotate the affected credential — every account using that password, not just the one you know about.
2. Revoke all active sessions on the affected account to terminate any attacker's existing access.
3. Check account recovery settings — ensure the attacker has not added their own recovery email or phone number.
4. Review access logs to determine what the attacker accessed and whether other accounts were compromised.
5. Report to the NCSC at [email protected] if the compromise involved a phishing attack or if customer data was exposed.

For a detailed step-by-step protocol, see our full incident response guide for compromised credentials.

Key Takeaways

A small business password policy does not need to be complex to be effective. The five essentials — minimum 12-character unique passwords, MFA on all accounts, no credential sharing, account lifecycle management, and ongoing security training — cover the vast majority of credential-related risks that small businesses face.

The cost of implementing these controls is minimal: a business password manager starts at £5-8 per user per month, MFA requires no additional licensing on Microsoft 365 or Google Workspace, and writing the policy document takes one afternoon. The cost of a breach — average £5,600 for a UK small business — makes the investment trivial by comparison.

Use the Trusty Password Credential Guard to generate strong, phishing-resistant passwords for every business account. A unique, generated password per account is the foundation that every other security control builds on.

Frequently Asked Questions

Does my small business really need a written password policy?

Yes. Without a written policy, employees use guessable passwords, reuse personal passwords at work, and share credentials informally. A written policy turns security from an afterthought into a standard operating procedure. For UK businesses, the NCSC recommends documented password policies as part of Cyber Essentials certification.

Should I enforce 90-day password expiry for my team?

No. NIST SP 800-63B (updated 2025) explicitly states users SHALL NOT be required to change passwords on a fixed schedule unless there is evidence of compromise. Frequent forced changes lead to weaker passwords and predictable patterns. Instead, focus on unique, strong initial passwords and only require reset on compromise.

What minimum password length should my policy require?

The NCSC recommends a minimum of 12 characters for business accounts. NIST SP 800-63B requires a minimum of 8 characters for user-chosen passwords. For small businesses, a minimum of 12 characters with no forced complexity rules is the most secure and user-friendly standard.

How do I enforce a password policy without expensive enterprise software?

Start with what you already have. Microsoft 365 Business and Google Workspace include built-in password policy controls that can enforce minimum length, block common passwords, and require MFA. Azure AD Password Protection blocks over 1,000 common passwords for free. For password managers, Teams and Business plans start at around £4-8 per user per month.

Should I ban password sharing in my policy?

Yes — but provide a safe alternative. Instead of sharing passwords via email or sticky notes, set up a shared vault in your password manager. Most business password managers support shared folders where teams can access shared credentials without ever seeing the underlying password.