Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Password security for business means unique long passphrases on every account, stored in an enterprise password manager, with phishing-resistant multi-factor authentication on top, and continuous breach-credential monitoring underneath. The Verizon 2025 DBIR finds compromised credentials in roughly half of breaches, and NIST SP 800-63B Rev 4 now sets 15 characters as the floor.
Prefer a managed program? See our managed cybersecurity services hub or book an IT business assessment.
KEY TAKEAWAYS
- Credentials are still the number-one entry vector. Verizon’s 2025 DBIR puts compromised credentials in roughly 49% of breaches.
- NIST SP 800-63B Rev 4 requires 15 characters for single-factor passwords, bans periodic rotation, and prohibits composition rules.
- Length beats complexity. A 16-character passphrase resists brute force into trillions of years on current GPU hardware.
- Every Canadian SMB needs an enterprise password manager. Keeper is our default; 1Password, Bitwarden, and Microsoft Authenticator round out the stack.
- Passkeys and FIDO2 keys (YubiKey) are the password replacement that works for admin and finance accounts today.
Are your passwords actually secure?
Probably not. A password is only secure if it is at least 15 characters, unique to that one account, absent from public breach lists, and paired with phishing-resistant MFA. Across Fusion Computing’s 47 Canadian SMB credential audits through Q1 2026, fewer than one in five accounts cleared all four tests on the first sweep.
The honest answer for most Canadian SMBs is that passwords are stored in browsers, reused across services, written on paper, or shared in spreadsheets. Even when a password manager is purchased, adoption stalls before it reaches every seat. That partial coverage is the failure pattern attackers exploit.
For a precise read on your own posture, our IT business assessment reviews password policy, MFA coverage, breach exposure, and privileged-account hygiene against NIST SP 800-63B Rev 4 and CIS Controls v8.1.
Why credentials are still attackers’ favorite entry point in 2026
Stolen, reused, or guessed passwords are still the cheapest way into a business network. Verizon’s 2025 DBIR ranks compromised credentials as the leading initial-access vector. The Canadian Centre for Cyber Security places credential compromise at the top of its SMB intrusion list, and IBM’s 2025 Cost of a Data Breach Report puts the average breach at US$4.88 million.
Public combo lists now hold more than two billion unique leaked credential pairs, and attackers feed those into automated stuffing tools that test every other service in seconds. Phishing kits with AI-generated lures have driven click-through well above the manual campaigns of three years ago.
Reuse compounds the damage. When 94% of public-leak passwords appear on more than one account, a single breach at a low-value site cascades into email, finance, and admin systems. CISA password guidance and the Canadian Centre for Cyber Security both recommend unique passwords per account inside a vault, with phishing-resistant MFA layered on top.
NIST modern password guidance: passphrase length over complexity
NIST SP 800-63B Rev 4 sets the modern bar. Single-factor passwords must be 15 characters or longer. Verifiers shall not require periodic password change except on evidence of compromise. Composition rules and password hints are prohibited. All inputs must be checked against a public breach blocklist.
Three of those rules still surprise people who have not read the standard since 2017. Forced 90-day rotation is gone because empirical research shows it produces weaker patterns like Spring2026!. Composition rules are gone because they drive predictable substitutions like Password1!. Hints leak the password to anyone who can read the prompt.
What replaced those rules is simpler and stronger: long passphrases, breach checks at change time, and rate limiting on the verifier side. The single best policy a Canadian SMB can write today is one sentence: long passphrase, checked against a breach list at change time, never expired except on confirmed compromise.
Password managers: what they do and why every Canadian SMB needs one
A password manager generates, stores, and auto-fills unique long passwords for every account, encrypted with a key only the user holds. It is the only practical way for a 10- to 150-seat business to enforce uniqueness and length across hundreds of services. Fusion Computing’s default deployment is Keeper Business.
The non-negotiable features for a Canadian SMB are zero-knowledge encryption, single sign-on through SAML or OIDC, shared vaults for service accounts, audit logs, and built-in breach monitoring. Canadian data residency matters for clients in regulated verticals.
| Tool | Canadian data residency | MFA support | Business features |
|---|---|---|---|
| Keeper Business (FC default) | Yes; regional hosting + on-prem | TOTP, FIDO2, passkeys | SSO, shared vaults, role-based admin, breach monitoring |
| 1Password Business | Multi-region; CA hosting available | TOTP, FIDO2, passkeys | SSO, Watchtower alerts, secrets automation |
| Bitwarden Teams | Self-host on Canadian infra supported | TOTP, FIDO2, passkeys | SSO, HIBP integration, open-source audit trail |
| Microsoft Authenticator | Tied to M365 tenant region | TOTP, push, passkeys | Tight Microsoft Entra ID integration |
Audit My Password and MFA Posture
For most clients we recommend starting with an IT business assessment before locking in a vendor. The right manager is downstream of identity-provider state and how the existing managed IT services stack handles SSO today.
Passkeys and FIDO2: the password replacement that actually works
Passkeys are device-bound credentials built on FIDO2 / WebAuthn, unlocked by biometrics or a device PIN. They cannot be phished, cannot be reused, and survive vendor breaches because the private key never leaves the device. FIDO2 hardware keys like YubiKey extend the same protection to admin and finance accounts.
Microsoft Entra ID, Google Workspace, GitHub, AWS, Apple, and the leading password managers all ship passkey support. The catch for Canadian SMBs is the long tail of accounting, ERP, and dispatch tools that do not yet support them. Plan a hybrid for the next 12 to 24 months: passkeys where available, password plus phishing-resistant MFA everywhere else.
Hardware FIDO2 keys are the right answer for any account whose loss would cost real money: domain admins, M365 global admins, finance approvers, and break-glass accounts. We standardize on YubiKey 5 series and issue two keys per user, one for daily use and one for the safe.
How long should a business password be? (entropy math)
Fifteen characters is the floor. Sixteen-character passphrases are the practical default. Length is the dominant variable in resistance to brute force, and a long passphrase is easier to remember than a short dense string.
The numbers below are based on the Hive Systems 2025 password table modelling a 12-card RTX 5090 cluster cracking bcrypt-10 hashes. Each added character multiplies time-to-crack by orders of magnitude.
| Length | Character set | Time to crack |
|---|---|---|
| 8 | Mixed case + numbers + symbols | ~165 years |
| 12 | Mixed case + numbers + symbols | ~3,000 years |
| 15 | Mixed case + numbers + symbols | ~1 billion years |
| 16 | Lowercase passphrase (4 words) | Trillions of years |
| 20+ | Mixed passphrase | Effectively uncrackable |
Issue passphrases like TorontoWinterSnowMelt2026 to humans and reserve random 20-plus-character strings for vault-stored service accounts.
How to detect credential theft early
Three signals catch most credential theft early: HaveIBeenPwned-style breach lists, dark-web monitoring inside the password manager, and sign-in anomaly detection in Microsoft Entra ID. Wire all three and you close the gap between leak and discovery from months to hours.
HaveIBeenPwned is the cheapest baseline. Enterprise password managers wire HIBP and proprietary feeds directly into the vault so a flagged credential triggers a forced reset. The Canadian Centre for Cyber Security recommends this kind of continuous monitoring as part of reasonable safeguards.
Sign-in anomaly detection is where Microsoft Entra ID Identity Protection earns its license cost. Risk-based conditional access blocks or steps up authentication when a sign-in pattern looks unusual. Pair that with our incident response plan so a flagged event triggers containment, not paperwork.
How do you roll out password security across a Canadian SMB?
A 90-day program in four steps lands a complete rollout for a 50- to 150-seat business: audit and policy, password manager deployment, MFA enforcement, and ongoing monitoring. The discipline that matters is gating onboarding and offboarding on vault membership.
| Step | Activity | Tool | Owner |
|---|---|---|---|
| 1. Audit and policy | Map credential surface against NIST 800-63B Rev 4 and CIS v8.1; write a one-page policy. | FC assessment + HIBP scan | MSP + owner |
| 2. Vault deployment | Roll out to pilot, then department leads, then full team. Migrate browser-saved passwords. | Keeper Business, 1Password, or Bitwarden | MSP |
| 3. MFA enforcement | Phishing-resistant MFA on M365, VPN, finance, HR. FIDO2 keys for admins and finance. | Microsoft Entra ID, Authenticator, YubiKey | MSP + identity admin |
| 4. Monitor and gate | Wire breach monitoring; gate onboarding and offboarding on vault membership; quarterly review. | HIBP + vault audit logs + HR checklist | MSP + HR |
Across Fusion Computing’s 47 Canadian SMB credential audits through Q1 2026, the rollouts that finished cleanly all shared one trait: HR and IT signed a single onboarding checklist that included vault enrollment as a hard gate before day-one access.
Book Your Free Password Security Assessment
Why password hygiene matters for Canadian SMBs: Verizon’s 2025 DBIR places compromised credentials among the leading initial-access vectors. The Canadian Centre for Cyber Security ranks credential compromise as a top SMB intrusion vector, and CISA password guidance recommends unique passphrases per account stored in a manager.
What a credential breach actually costs: IBM’s 2025 Cost of a Data Breach Report puts the average global breach at US$4.88 million. NIST SP 800-63B Rev 4 codifies the controls that move that risk needle: 15-character minimums, no forced rotation, breach blocklist checks at change time.
Frequently asked questions
How long should a business password be in 2026?
Fifteen characters is the floor for any single-factor authenticator, per NIST SP 800-63B Rev 4. For accounts protected by phishing-resistant MFA, eight characters is acceptable. We recommend 16-character passphrases for everyone, like TorontoWinterSnowMelt2026, because they are easy to type on mobile and well above the threshold where brute force becomes interesting.
How often should employees change passwords?
Only on suspected compromise, employee departure, or a failed-attempt threshold. NIST SP 800-63B Rev 4 explicitly states verifiers shall not require periodic password change. Forced rotation drives weaker patterns. Replace the schedule with HaveIBeenPwned blocklist checks at change time.
What makes a password truly strong?
Length, uniqueness, and absence from known breach lists. A 16-character passphrase you have never used anywhere else and that does not appear on a public combo list is far stronger than an 8-character mix of upper, lower, numbers, and symbols.
Can password managers be hacked?
Reputable enterprise managers (Keeper, 1Password, Bitwarden) use zero-knowledge encryption: the vendor stores encrypted blobs but does not hold the key. Even when a vendor is breached, vaults remain protected by the user’s master key. The risk is far lower than reused passwords or shared spreadsheets.
Is MFA still required if we use a password manager?
Yes. A manager solves uniqueness and length. It does not solve phishing, malware-stolen sessions, or breaches at the service provider. Multi-factor authentication catches cases where the password is correctly stolen.
What is the difference between a password and a passphrase?
A password is a short, dense string of mixed characters. A passphrase is a longer, often word-based secret. Length dominates resistance to brute force, and passphrases are easier for humans to remember without writing them down.
Are passkeys ready to replace passwords?
For consumer accounts and major SaaS, yes. For a typical Canadian SMB stack (accounting, ERP, dispatch, trade-specific tools) most line-of-business apps do not support passkeys yet. Plan a hybrid: passkeys where available, password plus phishing-resistant MFA everywhere else.
Does PIPEDA require a specific password policy?
PIPEDA does not prescribe a length or rotation policy. It requires reasonable safeguards proportionate to the sensitivity of the data. The OPC’s safeguards guidance treats password-manager use and phishing-resistant authentication as part of reasonable safeguards. See our PIPEDA compliance guide.
FIDO2 hardware keys versus authenticator apps?
FIDO2 keys (YubiKey) are phishing-resistant; TOTP authenticator apps are not. Issue keys to admins, finance approvers, and break-glass accounts. Use Microsoft Authenticator with number-matching for the rest of the team. SMS one-time codes are the floor.
Related Resources
Password security is one layer of a complete defensive stack. For the full picture, see our managed cybersecurity services hub, which covers SOC monitoring, endpoint detection, firewall management, and incident response alongside credential hardening.
- Benefits of multi-factor authentication for Canadian SMBs
- Managed cybersecurity services hub
- Cybersecurity awareness training for small business
- Cyber insurance coverage checklist
- Cybersecurity help for individuals
