7 Password Rules for Small Business: Apply i…

Weak passwords are the leading cause of business data breaches worldwide

Imagine this: your accountant uses "Company2024" for her work email. Monday morning, she discovers the company email has been hijacked — payroll files, invoices, tax documents have all been downloaded. The hacker is demanding $8,000 ransom.

According to Verizon's 2025 Data Breach Investigations Report, 81% of corporate data breaches stem from weak or stolen passwords. For SMBs in Vietnam (where many businesses still use simple passwords like company name + year), the actual risk is even higher.

Good news: you don't need IT skills to fix this. The 7 rules below take 15 minutes per account to implement and will block 90% of automated password attacks.

What is a strong password?

A strong password is a string of characters long enough and complex enough that an attacker's computer cannot guess it within practical time. According to NIST (US National Institute of Standards and Technology) 2024 guidelines, a modern strong password needs at least 12 characters, mixing uppercase, lowercase, numbers, and special characters — and must not contain personal information.

A password like "Company2024!" looks complex, but a hacker cracks it in under 1 second because it contains common words and a year. A passphrase like "blue-coffee-morning-92!" takes about 34,000 years to crack.

7 Rules for Strong Business Passwords

Rule 1: Minimum 12 characters — longer is better

Length matters more than complexity. An 8-character "P@ssw0rd!" is much weaker than a 16-character "ilovecoffeemornings".

Easy tip: Use a memorable phrase as your password — called a "passphrase". Examples:

Coffee_every_morning_2026!
MyDog_is_named_Max@123
Vietnam_summer_holiday#

Each is 20+ characters, easy for the owner to remember, and takes millions of years to crack.

Rule 2: NEVER use personal information

Strictly avoid:

Birthdates, birth years
Names of family members, spouse, children
Company name, project names
Phone numbers, license plates
Street names, addresses

Hackers typically gather information from your Facebook and LinkedIn before attacking. A password like "JohnSmith1985" can be guessed within seconds after viewing your profile.

Rule 3: One password per account — never reuse

This is the most important rule but the least followed. According to Microsoft's 2025 survey, 65% of professionals globally use the same password for 3+ accounts.

The consequence: when one website gets hacked (e.g., a small forum you registered on 5 years ago), hackers will try the same password on your work email, banking, and Facebook — and often succeed.

Simple rule: Work email, banking, and accounting software — must have 3 completely different passwords.

Rule 4: Enable two-factor authentication (2FA) for all critical accounts

Two-factor authentication means after entering the correct password, you also need a 6-digit code sent via SMS or an app like Google Authenticator. Even if a hacker knows your password, they cannot log in without your phone.

Enable 2FA immediately for:

Work email (Gmail, Outlook, Microsoft 365)
Banking and payment apps
Facebook, LinkedIn, social media
Accounting software (QuickBooks, Xero, Misa)
Website admin accounts (WordPress, hosting)

Setup takes 5 minutes per account. This is the most effective security measure at zero cost.

Rule 5: Use a password manager

You cannot remember 30+ different passwords — that's reality. Don't try. Use a password manager to store and auto-fill them:

Bitwarden (free, open source) — best for SMBs
1Password (~$8/user/month) — beautiful UI, great team features
Microsoft Authenticator + Edge (free with Microsoft 365) — well-integrated if you use M365

How it works: you only need to remember one master password — the software creates and stores complex passwords for every other account.

Rule 6: NEVER share passwords via chat or email

This is a common mistake: sending Wi-Fi passwords over Slack, sending admin credentials over email, storing passwords in shared Google Sheets.

Principle: passwords should only be communicated in person or through a password manager with secure sharing (Bitwarden has an encrypted "Send" feature).

If you must share via chat: split the password in two halves and send through two different channels (e.g., first half via Slack, second half via SMS).

Rule 7: Change passwords when leaked — NOT on a fixed schedule

The old advice "change passwords every 90 days" is outdated. NIST 2024 recommends: only change passwords when there's evidence of a leak, because frequent changes lead to weaker passwords.

Change immediately when:

You receive a "login from unknown device" notification
A website you use was hacked (check at haveibeenpwned.com)
An employee leaves the company
You detect unusual activity on an account

4 Common Password Mistakes in SMBs

According to Thanh Nguyen — Founder, Vietify IT Services:

"When auditing systems for businesses in Da Nang, we commonly see 4 mistakes: Wi-Fi passwords taped to the wall, 'Passwords.xlsx' file on the desktop, shared admin accounts for the entire company, and 2FA disabled despite having Microsoft 365. All four can be fixed in one afternoon."

Mistake 1: Using default passwords on devices (routers, cameras, printers).

Mistake 2: Storing passwords in unencrypted Excel/Word files.

Mistake 3: Sharing one admin account among multiple employees — impossible to trace incidents.

Mistake 4: Enabling "Remember password" on shared computers.

When to Call IT Support?

You can apply the 7 rules above yourself in 15 minutes. However, professional IT help is needed when:

Your business has 10+ employees — need team-wide password manager rollout
You need to set up password policies (Group Policy) on Windows domain
You suspect a breach — need full account audit
You need to train employees on password security

Vietify provides IT security services for businesses in Da Nang including password manager rollout, company-wide 2FA setup, and employee training — starting from 1.5M VND/month (~$60).

Check Now: Are Your Passwords Safe?

Visit haveibeenpwned.com and enter your work email — if you see "Oh no — pwned!", your email has been leaked in some breach. Change passwords immediately.

Or download the Vietify Audit Tool to check your entire Windows computer in 5 minutes — automated report on security status, password policy, and weaknesses to fix.

Conclusion

Strong passwords aren't hard — just changing habits. The 7 rules above cost nothing and apply in 15 minutes per account. This is the highest-ROI security investment you can make today.

The most important rule: enable 2FA for your work email. This single action blocks 99.9% of automated attacks (per Microsoft 2024).

If your business in Vietnam needs a professional IT team to deploy comprehensive security, book a free IT assessment with Vietify — detailed PDF report on 6 security categories within 24 hours, no commitment.

Vietify IT Services — Professional IT team for SMBs in Da Nang, Vietnam. Last updated: May 2026 | Author: Thanh Nguyen, Founder, Vietify IT Services

7 Password Rules for Small Business: Apply in 15 Minutes (No IT Skills Required)