The Help Desk

Stop Trying to Remember Every Password — Here's a Better Way

Most people are one data breach away from serious trouble. A password manager costs nothing to get started, takes about 20 minutes to set up, and fixes the problem for good.

Published: May 20267 min read

The Honest Truth About How Most People Handle Passwords

If you're using the same password on more than one website, writing passwords on a sticky note, or choosing something like Company2024! because it “meets the requirements” — you're not alone. Most people do exactly this. And most people are one compromised account away from a serious problem.

The good news is that fixing this doesn't require any technical skill. It just requires a small change in habit — and the right tool.

What Actually Makes a Password Strong?

The rules have changed. The old advice — “use uppercase, a number, and a special character” — has been officially dropped by the US National Institute of Standards and Technology (NIST) in their updated 2024 guidelines. Forced complexity rules produced passwords like P@ssw0rd that were predictable and easy to crack.

What actually matters is length. A longer password is exponentially harder to crack than a short, complex one. Here's what NIST now recommends:

Make it long — at least 15 to 16 characters

Length is the single biggest factor in password strength. A 16-character password is dramatically harder to crack than an 8-character one, even with symbols.

Try a passphrase — four or more random words

A passphrase like coffee-table-thunder-lamp is 27 characters, genuinely random, and far easier to remember than Tr0ub4dor&3. NIST explicitly endorses this approach.

Never reuse passwords across different accounts

If one site is breached and attackers get your password, they'll try it on your email, banking, and Microsoft 365 — it's called “credential stuffing” and it works precisely because people reuse passwords.

Avoid personal information — names, dates, places

Attackers can look up your birthday, your pet's name, and your child's name on social media. Passwords that include these are far easier to guess than they feel.

What about changing passwords regularly?

NIST's 2024 guidelines no longer recommend forcing regular password changes unless there is a specific reason to suspect a compromise. Forcing frequent changes often leads to predictable patterns like Password1, Password2, Password3. A strong, unique password you keep is better than a weak one you change monthly.

So How Do You Have a Unique Password for Every Account?

Nobody can memorise 50 strong, unique passwords. That's not a memory failure — it's just not humanly possible. This is exactly what password managers were built to solve.

A password manager is a secure digital vault that stores all your usernames and passwords in one place. It generates a strong, unique password for every account, remembers them all, and fills them in automatically when you log in. You only need to remember one single master password — the one that unlocks the vault itself.

What a password manager does for you:

✓ Generates long, random, unique passwords for every account
✓ Stores them securely using strong encryption
✓ Auto-fills your login details on websites and apps
✓ Works across your phone, computer, and tablet
✓ Warns you if a saved password has been found in a data breach
✓ Can securely store other sensitive info — Wi-Fi passwords, licence keys, secure notes

Which Password Manager Should You Use?

There are several reputable options. The two we most commonly recommend to our clients are:

Bitwarden

Best free option — fully open source

Free to start

Bitwarden is open source, meaning its entire codebase is publicly available for anyone to inspect. It undergoes annual independent security audits (the 2024 audit was published in August 2025). The free plan includes unlimited passwords across unlimited devices — which is genuinely rare. Premium is just $10 per year.

Strengths

✓ Open source and independently audited
✓ Free tier is genuinely full-featured
✓ Works on all platforms and browsers
✓ Can self-host for maximum control

Worth noting

→ Interface is functional but not as polished
→ Advanced reports require the $10/yr premium

1Password

Best overall — polished and business-friendly

Paid — from $2.99/mo

1Password is proprietary (closed source) but undergoes regular independent penetration testing, with reports available through their Trust Centre. It's consistently rated the best overall password manager for ease of use. The family plan ($4.99/month) covers up to 5 users, and there are solid business plans for teams.

Strengths

✓ Excellent, intuitive interface
✓ Watchtower: flags breached, weak, or reused passwords
✓ Travel Mode to hide sensitive vaults at borders
✓ Excellent family and business plans

Worth noting

→ No free tier — 14-day trial only
→ Closed source (audited but not open)

What about the password manager built into my browser?

Chrome, Edge, and Safari all have built-in password storage — and while they're better than nothing, they're not as secure as a dedicated manager. They're tied to your browser account, often lack breach alerts, and don't work well across different browsers or devices. For business use, a dedicated password manager is strongly preferable.

How to Get Started in Three Steps

You don't need to move all your passwords at once. Start small and build the habit over a week or two.

1
Choose a password manager and create your account
Download Bitwarden (free) or start a 1Password trial. When setting up your master password, choose a memorable passphrase of four or more random words — this is the one password you'll actually need to remember. Write it down and store it somewhere physically safe, just for the initial setup period.
2
Install the browser extension and mobile app
Both Bitwarden and 1Password have browser extensions for Chrome, Edge, Firefox, and Safari, plus apps for iOS and Android. Once installed, your vault is available everywhere — and the extension will prompt you to save new passwords as you log in to sites.
3
Prioritise your most important accounts first
Start with the accounts that matter most — your email, Microsoft 365, banking, and any business systems. Use the password manager to generate a new, unique password for each one, save it in the vault, and enable Multi-Factor Authentication (MFA) while you're there. Work through the rest over the following days.

The Final Layer: Multi-Factor Authentication (MFA)

A strong, unique password is your first line of defence. Multi-Factor Authentication (MFA) is your second — and together they make your accounts extremely difficult to compromise.

MFA means that even if an attacker has your password, they still can't log in without a second form of verification — usually a code sent to your phone, or a prompt in an authenticator app. Microsoft and Google both offer free authenticator apps (Microsoft Authenticator and Google Authenticator) that work with most services.

Enable MFA on these accounts first

→Your email account (Gmail, Outlook)

→Microsoft 365 / Azure

→Your password manager itself

→Online banking

→Any business management software

→Social media accounts

What You Should Stop Doing Today

Saving passwords in a spreadsheet, Word document, or text file

These files are unencrypted and easily accessible if your computer is compromised or stolen.

Sharing passwords via email, WhatsApp, or SMS

Messages can be intercepted, screenshots taken, or accounts accessed after the fact. Use your password manager's secure sharing feature instead.

Using the same password for work and personal accounts

A breach of your personal Netflix account could give an attacker the key to your business systems if you reuse that password.

Storing passwords in a browser you share with others

Anyone who uses your computer with access to Chrome or Edge can see and export saved passwords in seconds.

Password Security Checklist

Run through this list to check how well protected your accounts currently are.

I am using a dedicated password manager (Bitwarden, 1Password, or similar)Every account has a unique password — I don't reuse any passwordsMy most important passwords are at least 16 characters longMulti-Factor Authentication (MFA) is enabled on my email accountMFA is enabled on my Microsoft 365 / work accountsI am not storing passwords in a spreadsheet, document, or sticky noteI have not shared any passwords via email, WhatsApp, or SMS

Frequently Asked Questions

Is it safe to store all my passwords in one place?

Yes — when that one place uses strong encryption. Reputable password managers like Bitwarden and 1Password use AES-256 encryption, and the vault is locked with your master password which never leaves your device. Independent security researchers audit these products regularly. The risk of having all passwords in a secured vault is far lower than the risk of reusing weak passwords across multiple sites.

What happens if I forget my master password?

This is the one password you genuinely cannot reset through the usual channels. Password managers are designed so that even they cannot access your vault — which is what makes them secure. When you set up a password manager, you'll be given an emergency kit or recovery code. Store this somewhere physically safe (a locked drawer or filing cabinet). If you lose both your master password and your recovery key, your vault cannot be recovered. This is rare, but it's worth taking seriously from the start.

What is Multi-Factor Authentication and do I really need it?

Multi-Factor Authentication (MFA) requires you to verify your identity with a second factor — usually a time-sensitive code from an app like Microsoft Authenticator or Google Authenticator — in addition to your password. Even if an attacker obtains your password through a data breach or phishing, they still cannot access your account without this second factor. Microsoft research has found that MFA blocks over 99.9% of automated account compromise attacks. Yes, you really do need it.

Should I use SMS text messages for MFA codes?

SMS-based MFA codes are better than no MFA at all, but they're the weakest form of two-factor authentication. SIM-swapping attacks — where an attacker convinces your mobile network to transfer your number to their device — can intercept SMS codes. Wherever possible, use an authenticator app instead. Microsoft Authenticator and Google Authenticator are both free and significantly more secure.

Do I need to change all my passwords immediately?

Not necessarily all at once — that can feel overwhelming. Start with your highest-risk accounts: email, banking, Microsoft 365, and any business systems. Change those passwords to strong, unique ones stored in your new password manager, and enable MFA. Then work through the rest over a week or two as you naturally log in to other sites.

Key Takeaways

✓Length beats complexity — aim for 15+ characters
✓Never reuse the same password across accounts
✓A password manager generates and remembers everything
✓Bitwarden is free and open source; 1Password is the top paid option
!Always pair a strong password with MFA

⚡

Quick Win

Start today: download Bitwarden for free, create your account with a passphrase master password, and add just your email and Microsoft 365 login. That's your two most important accounts protected in under 10 minutes.

💡

Worth Knowing

A passphrase is four or more random, unrelated words strung together — like lamp-river-copper-biscuit. It's 25 characters, easy to remember, and exponentially harder to crack than a short complex password.

Related Services

Cybersecurity & Compliance →Microsoft 365 & Azure →Managed IT Support →

Other Categories

🔒 Cyber Security & Compliance ☁️ Cloud & Continuity ⚡ Tech for Growth

Want Help Setting This Up for Your Team?

We can help your business roll out a password manager, enable MFA across your Microsoft 365 accounts, and make sure your team has the right habits in place — without disrupting your day.

Get In Touch