You wouldn't hide a spare key
under the welcome mat and call your house secure. Everybody knows that's the
first place someone looks.
But that's essentially what
most businesses are doing with their passwords. The credentials protecting your
email, your financials, and your client data are sitting in the most obvious
spot imaginable, and the people who want them know exactly where to check.
One password, every door
Most credential breaches don't
originate inside your company. They start at some unrelated service: a retail
site, a food delivery app, a subscription nobody remembers signing up for. That
third party gets compromised, and now your email address and password are
packaged up in a database that's being traded or sold on the dark web.
What happens next is
predictable. Attackers take that stolen login and run it against everything
they can find: your email provider, your cloud storage, your accounting
platform, your CRM. The technique is called credential stuffing. It's not
clever, but it is fast. Automated tools test your stolen credentials against
hundreds of services while your office is closed for the night.
Imagine a single physical key
that opens your front door, your office, your car, and every filing cabinet you
own. If someone gets a copy of that key, they don't just get into one room.
They get into all of them. That's what password reuse does at scale.
A Cybernews analysis of 19
billion exposed passwords found that 94% were reused or duplicated across
multiple accounts. That's not a rounding error. That's nearly universal.
Passwords don't fail because
they're too short or too simple. They fail because the same one is doing too
many jobs.
Why "strong" isn't the right question
There's a common assumption
that if a password has a capital letter, a number, and a special character,
it's secure. That checked the box in 2006. It doesn't anymore.
The most popular passwords in
2025 were still variations of "Password1," "123456," and team names with an
exclamation point tacked on. If that sounds familiar, you're in large company.
Attackers aren't sitting at a
keyboard guessing. Modern cracking tools test billions of combinations per
second. A password like "P@ssw0rd1" falls in seconds. A long, randomized
passphrase could hold for centuries. Length wins over complexity every time.
But here's the part that gets
overlooked: even a great password is still a single layer. One successful
phishing email, one vendor breach, one sticky note on a monitor, and it's
compromised. Doesn't matter how creative it was. A single point of failure is
still a single point of failure.
If your security model depends
entirely on the strength of a password, it's built on a foundation that cracked
years ago.
Passwords are the lock. This is the deadbolt.
The answer isn't a better
password. It's a better system around the password. Two changes close most of
the gap.
A password manager
(tools like 1Password, Bitwarden, or Dashlane) creates and stores a unique,
complex password for every account your team touches. Nobody memorizes them.
Nobody reuses them. The login for your accounting software has zero overlap
with the one for your email, which has zero overlap with the one for your
client portal. Each door gets its own key, and none of them are sitting under
the mat.
Multi-Factor Authentication
(MFA) adds a second checkpoint. You prove your identity with something you
know (your password) and something you have (a code from an authenticator app
or a push notification on your phone). If someone gets hold of your password,
they still hit a locked door because they don't have the second factor.
Neither requires specialized IT
knowledge. Both can be rolled out in an afternoon. Together, they neutralize
the vast majority of credential-based attacks.
What we see when this isn't in place
We work with small and
mid-sized professional services firms every day, and the pattern repeats
itself. A firm gets hit with a credential stuffing attack. The compromised
account didn't have MFA turned on. The password had been reused across 3 or 4
services. The breach wasn't sophisticated. It was preventable.
That's why MFA isn't an add-on
or an upgrade in our managed services agreements. It's part of the baseline.
Every partner gets it configured and enforced from day one, because treating it
as optional is how firms end up in the situation we just described.
But MFA alone isn't the whole
picture. At Framework IT, it's one layer in a stack that's designed to catch
threats at every stage.
Our endpoint protection,
powered by SentinelOne, uses AI-driven behavioral analysis to identify threats
that traditional antivirus tools miss entirely. It doesn't wait for a known
virus signature. It watches for unusual behavior on your devices and acts in
real time.
Behind that sits a 24/7
Security Operations Center (SOC) staffed by certified cybersecurity
specialists. They're monitoring your environment around the clock, nights,
weekends, and holidays included, isolating threats and coordinating response
before your team even knows something happened.
We also run dark web monitoring
to catch compromised credentials tied to your organization before an attacker
can put them to use. And our security awareness training through KnowBe4,
complete with mock phishing campaigns, teaches your people to recognize the
kinds of emails that turn a reused password into an open door.
Here's how it works in
practice. A phishing email slips past your email filter. A trained employee
spots it and reports it. If someone clicks anyway, MFA blocks the unauthorized
login. If a credential surfaces on the dark web, our monitoring flags it and we
rotate it. If a threat reaches an endpoint, SentinelOne and the SOC contain it
in minutes.
No single layer does all the
work. They cover for each other. That's the difference between a lock on the
front door and a full security system.
The part nobody thinks about until renewal
Cyber insurance carriers have
gotten specific about what they expect. MFA enforcement, password policies,
endpoint detection, security awareness training. If you can't demonstrate these
controls, you're either paying inflated premiums or risking a denied claim when
you actually need the coverage.
Our cybersecurity stack is
designed to meet the requirements of over 97% of cyber liability insurance
policies. Partners who align to these standards typically see 20-40% lower
premiums, savings that often exceed their monthly managed services fee. It's not
just risk reduction. It's a net-positive investment.
Systems over willpower
People will reuse passwords.
They'll skip updates. They'll click things they shouldn't. That's not a
character flaw. That's how humans operate.
The right approach doesn't
fight that. It accounts for it. You build systems that protect the business
even when someone makes a normal human mistake.
Most breaches don't require
anything advanced. They just need one unlocked door. Don't leave the key under
the mat.
If your team is already using a
password manager and MFA is enforced across every system, you're ahead of most
businesses your size. But if there are still accounts with a single layer of
protection, or people reusing the same credentials across services, it's worth
a conversation before a small gap turns into a big problem.
Book a
meeting to talk about where your security stands today.
And if you know a business
owner who's still relying on the same password they set up years ago, send this
their way. The fix is simpler than they think.
About the Author
Adam Barney is President and Managing Partner of Framework IT, a Chicago-based managed IT services firm he's helped lead for more than 15 years. He and his team of 40+ professionals specialize in IT support, strategy, and cybersecurity for small and mid-sized businesses. Adam's insights on business technology have been featured in the Harvard Business Review, the Washington Post, and Fox 32 Chicago.
