🛡️ How to Create a Secure Password: 7-Step Guide for Your Business
On this page
- Step 1: Choose a Password Generator That Uses CSPRNG
- Step 2: Set Password Length to 16-20 Characters
- Step 3: Include All Four Character Types
- Step 4: Generate One Password Per Account — Never Reuse
- Step 5: Use a Password Manager to Store and Organise
- Step 6: Enable Multi-Factor Authentication Everywhere
- Step 7: Train Your Team and Enforce Policy
- FAQs
- Sources
Step 1: Choose a Password Generator That Uses CSPRNG
Step one is the most important: do not make up passwords yourself, and do not use a generator that relies on JavaScript's Math.random(). Use a generator that calls window.crypto.getRandomValues() — the browser's cryptographically secure random number generator. The Web Crypto API draws entropy from the operating system's hardware random number generator, which collects randomness from thermal noise, interrupt timing, and other physical sources. The generator at StrongPassFactory uses exactly this approach.
Step 2: Set Password Length to 16-20 Characters
For business passwords, set your generator to produce passwords of at least 16 characters. For administrative accounts — your password manager master password, email admin account, domain registrar — use 20 characters or more. Every additional character multiplies the keyspace by 94 (the size of the full character set), making each added character exponentially more valuable than the last.
Step 3: Include All Four Character Types
Enable uppercase letters, lowercase letters, digits, and symbols in your generator settings. This gives you a keyspace of 94 possible characters per position. Some generators let you exclude ambiguous characters (like lowercase 'l', capital 'I', digit '1', and pipe '|') — enable this to avoid confusion when sharing passwords with team members, but keep all four character types active.
Step 4: Generate One Password Per Account — Never Reuse
This is the single most important password rule for businesses. Every account — email, banking, payroll, SaaS, hosting, social media — must have its own unique password. If one service gets breached, the attacker does not automatically gain access to your other accounts.
According to the Verizon 2025 DBIR, 65% of people reuse passwords across accounts. In a business context, that number is even more dangerous because a breach of a low-value service (like a marketing newsletter tool) can expose credentials that an attacker then uses to access your banking or email.
Step 5: Use a Password Manager to Store and Organise
You cannot remember 30 different 20-character passwords. You should not try. A password manager is essential for any business. It stores all your passwords in an encrypted vault, autofills them on websites, and syncs across devices. For small businesses, Bitwarden offers free team plans for up to three users, and 1Password has business plans starting at around £6 per user per month.
Step 6: Enable Multi-Factor Authentication Everywhere
A strong password is not enough on its own. Multi-factor authentication adds a second layer of security: something you know (your password) plus something you have (your phone, a security key). For business accounts, require MFA on everything — email, banking, password manager, hosting, domain registrar, SaaS platforms.
Step 7: Train Your Team and Enforce Policy
The best password policy in the world fails if your team does not follow it. Create a simple one-page password policy that covers: minimum password length (16 characters), password generator usage (mandatory, not DIY), password manager usage (mandatory), MFA requirements (mandatory for all accounts), and incident reporting (any suspected compromise must be reported within 1 hour). Send this policy to every team member and review it quarterly. For secure business communications around passwords, Trekmail's encrypted email ensures sensitive credential information is never exposed in transit.
FAQs
What is the best way to create a secure password?
Use a password generator that employs cryptographic random number generation (CSPRNG). Set the length to 16-20 characters, enable all four character types (uppercase, lowercase, digits, symbols), and generate one unique password per account. Store everything in a password manager.
How often should I change business passwords?
Only when necessary. The old 90-day rotation rule has been retired by NIST. Change passwords when: an employee leaves the company, a service you use suffers a breach, you suspect credential compromise, or you discover a password was shared insecurely. Unnecessary rotation encourages weaker passwords.
What is the most common mistake businesses make with passwords?
Credential reuse is the number one mistake. Using the same password for multiple accounts means a breach of any one service exposes all of them. The second most common mistake is using passwords that follow predictable patterns — a capital letter, a word, a number, and a symbol in that order.
Can a password manager be hacked?
Major password managers (Bitwarden, 1Password, Keeper) use zero-knowledge architecture — they cannot read your vault contents. Your vault is encrypted with your master password before it leaves your device. Even if the company's servers are breached, your passwords remain encrypted. Bitwarden's codebase is open source and independently audited. 🎓 Save 50% Off
Sources
- Verizon 2025 Data Breach Investigations Report
- NIST SP 800-63B Digital Identity Guidelines
- IBM Cost of a Data Breach 2026
- NCSC Password Guidance 2024
- CISA Multi-Factor Authentication Guidance
Affiliate Disclosure: This post may contain affiliate links. If you purchase through these links, we may earn a small commission at no extra cost to you. Our password generator is free to use. Full disclosure.
⚡ Try NordPass — Get NordPass Up to 50% Off - 2 Year Premium Plan and experience enterprise-grade password security at an affordable price. Features include zero-knowledge encryption, cross-platform sync, and breach monitoring.