Password Protection & Authentication: Business Security Guide

Why account credentials are the primary target

Compromised credentials — stolen usernames and passwords — are the most common root cause of data breaches. Once an attacker has valid credentials for a business account, they can access the data that account can see, move laterally to connected services, and in many cases remain undetected for weeks or months. The annual Verizon Data Breach Investigations Report (DBIR) consistently identifies stolen credentials as the leading attack vector, contributing to a substantial proportion of all confirmed breaches.

UK businesses are not immune. Action Fraud receives thousands of reports annually involving business account compromise, the majority of which originate with phished or stolen credentials. The countermeasure is straightforward in principle: strong, unique passwords and multi-factor authentication make credential theft dramatically less useful to an attacker even if they succeed in obtaining it.

The case against weak passwords

The traditional approach of requiring passwords that meet a complexity rule — eight characters, uppercase, number, special character — has been revised by NCSC guidance. Research and the NCSC's own analysis demonstrate that complexity rules alone produce predictable patterns (Password1! is technically complex but trivially guessable) and lead to reuse and incremental modification rather than genuinely strong passwords.

NCSC current guidance recommends three random words as a passphrase approach for better memorability and entropy, combined with MFA as the primary control rather than password complexity alone. The most important principle remains: every account should have a unique password, so that a breach of one service does not compromise others.

Password managers in the enterprise

Expecting employees to remember unique, strong passwords for dozens of accounts is unrealistic. Password managers solve this by generating and securely storing strong, unique passwords for every account, requiring only one master password (ideally combined with MFA) to access them.

Business-grade password managers — 1Password Business, Bitwarden Business, Dashlane Business — provide centralised administration, the ability to share credentials securely within teams, audit logs of access, and the ability to revoke access for departing employees. Pricing typically starts from £3–£5 per user per month.

The NCSC explicitly recommends that organisations use password managers rather than requiring staff to memorise multiple passwords or use spreadsheets. A password manager is one of the highest-impact, lowest-cost security improvements most businesses can make.

Multi-factor authentication: the essential layer

MFA requires users to provide a second verification factor in addition to their password — typically something they have (a device that generates or receives a code) rather than something they know. Even if credentials are phished or stolen, an attacker without access to the second factor cannot log in.

The most common MFA methods, in order of strength:

• SMS codes: A six-digit code sent by text message. Susceptible to SIM swap attacks and real-time phishing attacks that relay codes to the attacker. Better than no MFA, but not recommended as the sole MFA method for sensitive accounts.
• Authenticator apps (TOTP): Time-based codes generated by an app on the user's device — Microsoft Authenticator, Google Authenticator, Authy. Not vulnerable to SIM swap attacks. Susceptible to real-time phishing relays but significantly stronger than SMS.
• Push notifications: Microsoft Authenticator's push notification MFA sends an approval request to the user's phone. Number matching (requiring the user to enter a number displayed on the login screen) significantly reduces MFA fatigue attacks where criminals repeatedly send push requests hoping the user approves one.
• FIDO2 / Passkeys: Phishing-resistant MFA that uses a cryptographic key pair rather than a code. The private key never leaves the user's device, making it immune to phishing relay attacks. Increasingly supported by Windows Hello, Apple Face ID and hardware security keys such as YubiKey.

Enabling MFA on Microsoft 365

For businesses using Microsoft 365, Microsoft Entra ID (formerly Azure AD) provides MFA and conditional access capabilities. Security Defaults — enabled by default on new tenancies — enforce MFA for all users using the Microsoft Authenticator app. Organisations on Microsoft 365 Business Premium can configure more granular conditional access policies, requiring MFA only when risk conditions are met or enforcing phishing-resistant methods for administrators.

Privileged accounts and service accounts

Administrator accounts — those with elevated permissions to change system configuration, add users, or access all data — require the strongest authentication controls. The NCSC recommends that privileged accounts are separate from day-to-day user accounts, and that they require phishing-resistant MFA (FIDO2 or certificate-based). Service accounts used by automated processes should use certificate or managed identity authentication rather than passwords where possible, and passwords where used should be long, randomly generated and rotated regularly.