Risk in Business - 7 Password Fails

7 Passwords You Should Never Use at Your Small Business

James O'Brien

Owning a small business means owning data. You’re constantly acquiring new information related to your customers, your financial details, and all the vendors and contractors with whom you work.  One cyber criminal, though, one lucky hack, and you’ve just exposed your business to a major blow. From lost trust among your clients to costly lawsuits for the damage done, protecting your company from data theft is among your most important responsibilities.

A lot of it comes down to one simple choice you make:  passwords.

“Overall, passwords still present the biggest challenge for businesses of all sizes,” said Ron Schlecht, founder and managing partner of BTB Security. Businesses hire Schlecht’s company to test their digital security for weak spots and, he said, “you can’t imagine how many times we still break in to companies because of a bad password.”

If you want to avoid weak passwords at your business, start by steering clear of the following list. Read on for seven passwords you should never (ever) use.


Arguably, this is the number-one and most common bad choice. Also prevalent are variations such as P@ssword and P@55w0rd!. These might be easy to remember, but they’re also among the first options hackers will try.


Easy-to-guess passwords often take root because they’re simple to remember. That’s the story with this hacker-friendly option constructed from the sequence of letters at the top left of the typical computer keyboard.


Or, 98765. Or, 4567. You get the picture — no consecutive numbers (and the same goes for sequential letter combinations). You can only count on passwords such as these to expose your business to digital theft.


If your shop is called Serafina’s Weddings, don’t set your password as SerafinasWeddings1. That would be a early choice for hackers looking to break into your valuable data.

Business Address

Skip it entirely, when it comes to passwords. Also avoid trying to mash together similar details, such as your street name and street number — i.e. Main215. 

Date of Birth

Thanks to the Internet, it doesn’t take much effort to find a person’s DOB. Birthdays, birthdates, years of birth — all of them make for readily attainable passwords and are poor choices for your company.

Simple Dictionary Words

Especially if they’re related to your business, don’t use them. No baseball, football, or soccer for your sporting goods store. No muffler, tire, or spark plug for your auto garage.

 And so, what should you do when it comes to picking a password?

A key approach starts with thinking of a passphrase. Next, substitute letters, characters, and abbreviations for parts of it. For example, my first car was a Honda in 1990 would be easy enough to remember, if that was the case in your life. Now, change it to my1stc@r=honda90.

Steer clear of the not so magnificent seven above, and protect your data with hard-to-guess constructions. With a strong password strategy, you’re well on your way to foiling online attacks.

Next Steps:  Are you looking to expand and grow your small business but don’t have time to keep up with the latest trends and technology? We’ve got you covered with the weekly Small Biz Ahead newsletter. Sign up today and start receiving the weekly newsletter chock full of the latest tools and resources to help you run a successful business.

54 Responses to "7 Passwords You Should Never Use at Your Small Business"
    • Kalvin Sid | April 13, 2022 at 12:35 pm

      Darn, now I have to change all my passwords. You should make this article sharable on social media!

      • Small Biz Ahead | April 14, 2022 at 8:53 am

        We’re glad you liked it, Kalvin! You can use the social media buttons at the top of the article to share it. You can also download the article!

    • Adrian | April 13, 2022 at 10:51 am

      I have three passwords that I rotate. Each password is 8 characters (I realized that 8 is the magic number for most website) and they contain 1 capital letter, 1 letter replaced with a character and 2 numbers.

      • Small Biz Ahead | April 14, 2022 at 8:51 am

        Thanks for sharing, Adrian! That sounds like a good strategy.

    • Edward K. Takahashi Architectural Corporation | April 13, 2022 at 4:17 am

      Neat info. Thanks.

      • Small Biz Ahead | April 13, 2022 at 9:10 am

        You’re welcome!

    • Joe Black | December 31, 2019 at 11:11 am

      Good article. You’ll never write an article of any type that won’t bring out the opinions of people who know better. It’s always good to be reminded of and get tips on, changing your passwords. I’m not an IT techie and hacking is a mystery to me, but like gravity, it still exists. I use a password manager myself. i figure I cannot trust my own memory or my diligence to change and remember passwords, so I have to trust someone. There were a number of good ideas for creating passwords, but if you need a lot of them, I’m back to remembering or writing down. If we are talking about just one, say for a network, most all of those suggestions are good. It isn’t clear what exactly, we are trying to protect against, personal data, company data, or Ransom? I use off network hard backup, such as a HD, or SSD. I use a cloud backup at home. If it’s only connected long enough to make a copy, it should be pretty safe. But, nothing is perfectly safe. It was interesting to hear about the length vs the complexity issue. But one person said all Lower Case, and I’ve always heard adding a capital letter increases the complexity a lot. My master password for my Password Manager is 8 characters long with two caps and two numerals. It’s not a word, just random characters. It’s the only Password I actually have to remember, and probably the only one I can remember. Should I make it longer? If I change it often, I’ll never know what it is. I don’t have any office network passwords in my manager, though I do use it for websites I use at work to do research and procure items. Ransom ware scares the crap out of me. I have a friend in the security business and has just gotten a client who is ready to pay like a 6 $million ransom, against his advice. Our IT guy says we are safe from ransomware, but how do I know for sure? Anyway, thanks for all of the comments. I’m never too old to learn, but old enough to forget what I just learned.

      • Chloe Silverman | January 2, 2020 at 8:48 am

        Great advice. Thank you for sharing!

    • X________3$ | December 31, 2019 at 10:00 am

      Years ago IT guy hinted to use last six of your SSA #s preceded by upper case letter (first name) succeeded by # 1 = a, etc., followed by special character if required. All kept in drop box Spread sheet as X______3$ with variations for each site. Close family knows where to find the file and hopefully if a hacker accessed the file they won’t have the basic info to make any sense of it, but my close family will be able to piece it together.

      • Chloe Silverman | January 2, 2020 at 8:46 am

        Great tactic! Thank you!

    • Joe Grasso | March 4, 2019 at 2:11 pm

      Random complex passwords are hard to remember. Try using the first letters of each word in a phrase, and add/substitute capital letters, characters for letters, add dates and punctuation. You can use song lyrics or titles, quotes, etc. You now have a complex password that is a little easier to remember.

      For example:

      Hismf@vIC! – Hartford is my f@vorite Insurance Company!
      Mnpw4ws030419 – My new password for web site March 4, 2019
      IHcrcped# – I Hate creating random complex passwords every day

    • Gene Marks | February 14, 2019 at 10:39 am

      Hi Mary,

      Your question about managing passwords is great. I have 3 suggestions:

      1 – use a Password Manager. Here are a few: https://top5-passwordmanagers.com/?
      2 – create a spreadsheet, password protect it and save it online (Google Sheets or Dropbox, for example)
      3 – create a special record in your customer relationship management program where you store all passwords (that’s actually what I do).

      However, in ALL cases, you must TELL someone where to go to get this information. Some of my clients keep that information with the rest of their important life docs like their estate plan or wills. Others share it with a spouse or trusted friend.

      Hope this helps….

    • Mary E Rossow | February 13, 2019 at 11:47 pm

      After reading entire 📑 article and all comments that followed, there seems to be one topic that is NEVER mentioned.

      As a small business owner of 34 years, I literally have 💯’s of different, original passwords.

      Each one is cleverly retained in my 💭 memory (and 🖊 written down 🚫 nowhere) so they appear to be safe.

      However, what happens if I get a 🧠 concussion in a 🚑 car accident or something similar to that?

      Or step off the curb and get hit by “the proverbial 🥛🚛 milk truck”?

      Someone (a trusted 👤 colleague or 👥 family member) would need access to all my 💻 accounts to either temporarily run my business and/or just shut it down.

      So HOW and WHERE do I manage that situation?

      Even if I listed all the passwords on 📝 paper, put it in a safe, and only gave one or two people the combination, it still wouldn’t work for me.

      I find that passwords are created and/or changed weekly, so “The Master 📝 List” would ALWAYS be out of date. 😱

      How are other small business owners handling this dilemma?


      • Hannah Sullivan | February 14, 2019 at 8:40 am

        Great advice Mary, thanks for sharing!

      • Gail | April 12, 2022 at 6:48 pm

        We are a webhosting company and passwords are a way of life and soon with each password (yes I said EACH, Never use a password for 2 different log ins.) you will be required to use @FA 2 Factor Authentication. Why? Well because hackers are training their computers better, building better software. Key points I would like to offer:

        1) The MOST secure password you should create is the one to your email box. If someone gets it they have full access to reset all your passwords on all your accounts. TADA no hacking required.
        2) Passwords should be a minimum of 12 but we recommend at least 13 if the site will allow it. Why because the FBI seminar we attended several years ago stated that the software used to decrypt password runs on blocks of 4 so with 12 they would need to complete 3 blocks but with 13 or 14 the would have to start on the 4 block. chances are greater they will give up before then.
        3) Purchase a Password Manager like LastPass.com you only have to remember for sure one password that is the one to open the vault. if you lose it you have lost it all there is no recovery. But there are extensions for your browsers (love them), you can download to an excel file all your vault entries, you can provide in your will the master password and then access to all your accounts (person and business) will be available to your assigned person. Oh when you update/change a password on a website it will update it in the vault. And you can share between LastPass members. There are Free versions and Paid versions (recommend for businesses with employees as you then own the passwords and the accounts)
        Hope that helps
        (Knowledge learned and not shared it wasted)

        • Small Biz Ahead | April 13, 2022 at 9:19 am

          This is great advice! Thank you for sharing it!

    • Patrick Fitzgerald | February 11, 2019 at 3:57 pm

      Length of the password is the most efficient way to gain complexity, using the character substitutions published in the comments is a red flag; if you read them here, you can assume that hackers are aware. One trick I use is I keep 5 phrases that are longer, but logical, and attach them to a set of 5 phone numbers that I remember, but was never associated with personally (I remember my best friend’s phone number from 40 years ago) So something like Iusedtocall_joeym@6719248, my wife used to live at 3816 Maple St. Shehadadognamedsammyon3816Maple. Simple, easy to remember and with a few rules you can process your way into the account if you forget your password.

      • Hannah Sullivan | February 12, 2019 at 1:45 pm

        Very creative, Patrick! Thanks for sharing.

    • Dale Morgan | February 8, 2019 at 10:57 am

      I have been preaching strong passwords for almost 20 years. I think I have heard every argument against good password policy that has been dreamt up. Here is the bottom line that will help every user with their passwords:
      Read vanity license plates – there are some excellent choices out there. Think ST8, L8, D8, GR8, 4D, 1DERTFUL, EVERY1, NO1, etc. I know someone who starts every password with ST8MN or whatever state the company is in and the adds something to identify the company and then some random characters. So, his password for Target stores is: ST8MNtrgt@)!( or ‘State=Minnesota, Target, 2019’.
      That sure beats the user who found a way to beat the system that required complex passwords changed every 90 days – her password is Winter2019! – I know her passwords for the next 20 years. Some days you just can’t win!


      • Hannah Sullivan | February 8, 2019 at 12:24 pm

        Thank you Dale.

    • C W | February 8, 2019 at 10:55 am

      A password protected Excel document can be cracked in seconds. THIS IS NOT A SECURE WAY TO STORE PASSWORDS.

      Also, a password protected document is NOT ENCRYPTED… it’s still plain text.

      To anyone not using a password manager, which IS encrypted, you are putting your security at risk by not using a proper encrypted password manager.

      Don’t let your fear of the “unknown” or complexity of a proper password manager prevent you from maintaining proper security.

      As many have mentioned, 1Password is an excellent tool for password management. It is encrypted. It can be synced to multiple devices. It will assist you in creating stronger and more difficult passwords (most of my passwords are at least 32 characters, unless the site forces something smaller). It includes plugins for all major browsers so you can easily insert difficult passwords into websites and forms.

      In a business environment, you should be using something like 1 Password for Teams, which allows each employee the ability to keep their own passwords secure, and shared passwords for company required sites and functions (which is very important as employees come/go from companies). You don’t know the number of times I’ve seen an employee fired, and the company is crippled for weeks trying to gain access to required resources online because that employee “had their own system” which wasn’t defined with any oversight. As a business owner, you should not leave the security of your business up to your employees. You should not leave the management of passwords up to individual users. YOU need to be in control. If this is outside your comfortability, please please please, hire a competent IT/Security professional.

      Reading some of these comments makes me shudder…

      • Hannah Sullivan | February 8, 2019 at 12:24 pm

        Thank you for your feedback!

    • ESH | February 8, 2019 at 8:33 am

      As others have commented here, password managers are the best solution to create complicated passwords. I’m a little surprised this option wasn’t mentioned at all in this piece. I’ve been using one for years and every account I have has a complicated, difficult to guess password including numbers, letters and special characters. I’ve been using 1Password and highly recommend that other small business owners look into using them.

      2 Factor authentication should be used for every account that offers it as well. You’ll receive a code (either to your phone or via email) that you need to enter in to sign in.

      • Hannah Sullivan | February 8, 2019 at 10:33 am

        Great suggestion, thank you for sharing.

    • frank | February 7, 2019 at 1:47 pm

      I worked with a woman once who’s password was “unique”. She did this because when the system was set up a memo came out and told the new users they must create a userid & password and the password must be unique.

      • Hannah Sullivan | February 8, 2019 at 10:31 am

        How funny! Thanks for sharing Frank.

    • Holly | February 7, 2019 at 10:56 am

      We have 6 employees and hundreds of passwords, most of which change regularly and many of which are shared by everyone in the office. I don’t trust password managers, so we’re currently using a password-protected excel doc stored on our local server. Can anyone comment on how secure this actually is?

      • Hannah Sullivan | February 8, 2019 at 10:30 am

        A suggestion we have Holly is making sure the password for the protected excel doc is something creative and different from the “hundreds of passwords” you mentionned in your comment. Also looking forward to what other business owners have done with their passwords.

    • Allen Thorpe | February 6, 2019 at 12:13 pm

      I use long (15-20) random passwords that I store in an encrypted spreadsheet that is backed up in the cloud. It is available on all my devices and any other computer connected to the net. I only have to remember one master password. The file contains the organization name, website, account / user name, password and other notes like answers to the security questions. I also list a category ie banking, medical or invest. It’s not as convenient as a password manager but I feel more in control.

      • Hannah Sullivan | February 8, 2019 at 10:29 am

        Great tactic Allen!

    • JWM | February 6, 2019 at 11:00 am

      All so difficult to deal with. I try to make it easier for myself. I have about 20 passwords in my head. I use these on a rotating basis.I can’t remember which password I used for “this or that” site but I have it written down – IN CODE. It’s a code I invented myself. Try to use what I’ve written down and you will not get far. But I easily recognize which one it is.

      • Hannah Sullivan | February 8, 2019 at 10:27 am

        Very clever! Thanks for sharing.

    • Nick T | February 6, 2019 at 10:54 am

      The end user is the usually who gives the password out in my experience. I only have one client whos email password was hacked because of lack of complexity.

      • Hannah Sullivan | February 8, 2019 at 10:24 am

        Thanks for your comment, Nick!

    • D Davis | February 6, 2019 at 4:12 am

      You always do such a great job producing content that is business owner relevant! Thank you!!

      • Hannah Sullivan | February 6, 2019 at 8:26 am

        Thank you for your feedback!

    • Ken | February 6, 2019 at 2:47 am

      I heard a short teaching at a business networking saying that far more effective that combinations of letters, symbols and numbers is a string of 4 unrelated words (as a single word) in small letters. For their example, they strung together the words “horse” “clamp” “battery” and one other I can’t remember, so something like “horseclampbatterygrape” (the quotes would not be part). Passwords like this would take a very sophisticated hacking program multiple centuries or even millennia to crack. And they’re easy to remember with a word picture–say, imagine a horse putting a clamp on a battery with a grape on his nose.

      Yet most programs will NOT allow you to get away with something like this.

      Can anyone comment on the validity of this? And on why it’s not allowed?

      Thanks in advance.

      • Hannah Sullivan | February 6, 2019 at 8:27 am

        Great idea, Ken! Looking forward to hearing what others think.

    • ASB | May 22, 2018 at 8:08 pm

      The key points to password management in the 21st century (or, at least, this part of the century) is the following:

      – Use a password manager
      – Don’t reuse passwords across multiple sites
      – Definitely don’t reuse passwords across sites of different trust levels (your online banking & some social media account)
      – Since you’re using a password manager anyway, consider random password
      – Keep your passwords safe and backed up


    • Bob | February 26, 2018 at 12:38 pm

      I agree with the concept of the phrase. It is much easier to remember, at least for me. A friend showed me his system and he never has to write them down. His system is: This is myHartford21pw!

      This turns into TimHartford21pw!

      The Tim is: this is my, Hartford is the company you are signing into, 21 is a random number you choose and always use, pw stands for password and he always uses an !

      Not perfect, but pretty good and he doesn’t write them down anywhere.

    • JM | February 25, 2018 at 1:17 am

      I agree some of this info is dweary!
      What do I do with passwords? First of all, I don’t trust those online password manager programs. NOTHING is secure online!! So I created a Word document and saved it to my desktop. Most of the passwords are not connected to my business. I”’m a sole proprietor with no employees and no customers. My passwords are for online busnesses I use. Yes, I use my dog’s name in some passwords, but the name is from another language, so although it uses regular letters, the odd spelling will probably deter hackers. At one point I had 3 cats and 2 dogs. I created passwords using 1 or 2 letters of each pet’s name and added a number. Security checks always indicated they were strong.
      I strongly recommend NEVER save passwoords online. One day a hacker will breack their security wall, and you’ll loose EVERYTHING!

    • Lisap | February 22, 2018 at 12:21 pm

      The basic idea of the article is good advise, but the suggestions of what to use does not always work. Every site or program has different requirements, so just because some of those fancy passwords will work on one site, does not mean it will work on another. One may require you to have so many numbers and so many special characters, where another site may not allow the use of special characters.

      Example: my1stc@r=honda90 may work on one site, but next site says no special characters so now my1stcarhonda90, then the next site says must have a capital letter, so My1stcarhonda90, so this may be a good suggestion, but see the combinations for sites continues to change.

      Some sites/programs require you to change every so often, (3 months, 6 months, 12 months) and do not allow you to reuse a password again.

      A good idea is keep work passwords different than personal passwords.

    • Carol Quint | February 21, 2018 at 4:14 pm

      As an older person, I have a simple solution to passwords that can never be hacked or stolen. It’s called a Rolodex file system, which not only has the names of businesses I deal with, but also has phone numbers, and PASSWORDS. Yes, I hand-write each card (in pencil, in case I need to change a password, which some sites require after a few months). But everything is perfectly safe, unless you are working in an office where someone might steal your file, and then you’re in the wrong office. It is easily moved from work to home, and back again.

    • uxf | February 21, 2018 at 12:34 pm

      There’s a familiar, dreary cluelessness about articles like this. It’s as if it’s written from the point of view of a business that doesn’t know how their customers really live. Sure, you can tell people to choose a strong password, but there’s not a hint of awareness in the article that people have to have strong passwords for 30-50 accounts. That each strong password has to be unique. That each strong unique password has to be changed every 6 months. Sure you can argue about complexity versus length, but most accounts do not allow for long passwords. I have one that is actually still limited to 6 characters (!!!!). As for complexity, people have to deal with one login that requires special characters, and another login that forbids special characters, and yet another that requires special characters but forbids /, %, and @. And so on and so on.

      In other words, these articles are basically telling people to use passwords that they will never remember. And so comes the password managers, which require you to entrust your passwords not to your brain but to some software or thumb drive. If you lose that, you lose all your passwords! And what if you are trying to log in on a computer that does not have your password manager loaded on it?

      Stop the insanity and stop articles like this. Until you figure out a better solution than passwords, open up your system and let people choose whatever password they want. Otherwise, they’ll use 12345 or – and I’ve seen quite a few security specialists actually recommend this now – they’ll write it on a post-it and stick it to their computer screen!

      • Marilyn Moore | March 31, 2021 at 7:45 am

        I’m a sticky note on the base of the computer type of person! Thankfully, hackers can’t see the rim of my computer and I keep the camera covered. Easy peasy.

    • ElGallego | February 21, 2018 at 11:46 am

      Passwords are a nightmare. Typically, a small business has 20 to 50 essential passwords. A large business has hundreds of passwords, used by hundreds of staff. The management of passwords alone is a significant impairment of digital utility. And each password must be changed regularly, be composed of no less that ten characters, which must include one capital, one lower case, at least one digit, one non-language character, there must be no reference to your name or prior passwords, &c., &c. &c…

      Even the “fingerprint” and “retinal” solution invites nightmares, especially in foreign intelligence. All I need is the authorized eyeball or digits to have access. And the sensors themselves need intense maintenance, or security is undermined by emergency backdoors.

      I look forward to return to the use of metal keys. They also have their own weaknesses, but the chaos they inspire is of zero burden compared to digital passwords.

    • Nadine Silverstein | February 21, 2018 at 7:34 am

      When I am looking to log on I always see network names that clearly identify which business owns the network. It’s a welcome sign for hackers. How about naming your secure network with a random name as well!

    • Roman | February 21, 2018 at 6:55 am

      Your password shall be no less then 15 characters or more, random phrase that you remember well, but no one also, should do. All lowercase too.
      Keep changing it every month or two,
      No one will crack that one.

    • Dan | February 21, 2018 at 3:08 am

      Good suggestions, though, I tend to use passwords related to the business…for instance, the auto shop, I’d be perfectly fine with $P@rk=Pl^g (instead of spark-plug).

      Generally, I use the following substitutions: $ for S, 3 for e, @ for a, 1 or ! for I, 0 for O (and vice versa!), and ^ for U. Replacing all the vowels means you don’t have a dictionary password.If I’m lazy, I might add a 123 at the end; of course, it looks like !@3.

      My mechanical engineering clients could use 2ndL@w-Th3rm0dyn@m1c$ that should slow down the script-kiddies a bit.

    • Brian | February 21, 2018 at 12:33 am

      Years back I read a study on password psychology. Then I sized up my boss, knew she did not have children, treated her dog like a child, and had very strong maternal instincts, so I guess her password to be her dog’s name, and she was shocked when I told her my prediction. Got that one right. People often use their children’s names, and there are many other common categories.

    • Matthew Demaree | February 20, 2018 at 11:11 pm

      We found the best solution is to use a password manager that is highly secure, most of our passwords are actually unknown even to us because the system fills the password fields for you. We set ours to create very strong passwords with letters, numbers, symbols, and at least 16+ characters. The software syncs to your phone as well so you have access anywhere you go, and 2-factor is highly encouraged.

      Download a copy with 6-free months.

    • CW | February 20, 2018 at 8:30 pm

      I have to disagree with this article.

      Most security researchers and IT Pros (myself included) understand that length is more important than complexity.

      You can have a password that is easy to remember, as long as the number of characters is high enough.

      A password which is overly complex (might also be secure) also encourages people to write them down on sticky notes.

      You can create long passwords with a favorite phrase, bible verse, or movie quote:

      “you are what you eat” could be = You are what you eat!xx where xx defines your birth year or other memorable yea.

      “say hello to my little friends” could be = !Say hell0 to my little friends!

      Passwords need not be complex to be secure. They only feel complex to us because they are hard to remember!!!

      More detail here: https://www.grc.com/haystack.htm

    • Bree Faber | October 22, 2017 at 3:08 am

      This was very helpful for my friends mom because she owns a small business and she looked at this and she was going to do a address password. I showed her this and she said she was going to do something complicated but easy to remeber. Thank you.

      • Jim Kubin | March 30, 2021 at 10:24 pm

        I have been using Bitwarden, free version for a few years now. It not only allows me to store many URLs and my own conceived passwords but will also generate passwords and will check to see if any password has been used in a breach.

Leave a Reply

Disclaimer: Comments are subject to moderation and removal without cause or justification and may take up to 24 hours to be seen in comments. Your email address will not be published. Required fields are marked * Please do not include personal policy information; if you have questions or concerns regarding your policy with The Hartford, please log into your account or you can speak directly to a Customer Service Representative.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.