← back to blog
4 min read
  • #security
  • #passwords
  • #password-manager
  • #small-business

A password manager is the best hour you will spend on security

Reused passwords are how small businesses actually lose accounts, not exotic hacks. One hour with a password manager closes the biggest hole, if you set up the recovery plan too.


Your booking system, your Instagram, your bank, and your email probably share one password. Maybe two, with a number swapped at the end. For most small businesses that is the entire security problem, and it takes about an hour to fix.

I am studying for Security+ right now and the material is full of dramatic attacks. Zero days, rogue access points, malware hiding in firmware. Almost none of that is how a salon in Heber City loses its Instagram account. Here is how it actually happens.

Nobody hacks you. They log in.

Some website you signed up for years ago gets breached. Your email and password end up in a list that gets traded around. Attackers feed those lists into scripts that try them, automatically, against everything: Gmail, Instagram, Facebook, banks, Square, booking systems. This is called credential stuffing, and it works because people reuse passwords.

If your shop's Instagram password is the same one you used on a coupon site in 2019, it is not a question of whether someone will try it. Scripts try it all day, every day. Nobody is targeting you specifically. You are a row in a spreadsheet.

The fix is boring: a different random password for every account. No human can memorize forty random passwords, which is the whole reason password managers exist.

What a manager actually does

A password manager is an encrypted vault. You remember one strong master password. The manager remembers everything else and generates a new random password every time you sign up for something.

Three things it does for you:

  • Generates passwords like kD9#mVp2qX, so a breach at one site never touches the others.
  • Fills logins only on the correct site, which quietly protects you from lookalike phishing pages.
  • Syncs between your phone and your computer, so the password you saved at the front desk works from your couch.

The honest tradeoff: all your eggs go in one basket, and if you forget the master password, most managers cannot reset it for you. That is by design. They cannot read your vault, so they cannot recover it either. It is why the recovery plan at the end of this post matters more than which brand you pick.

Browser built-in or a dedicated app

Chrome, Safari, and Edge all have built-in password managers, and they are fine. If the choice is Chrome's built-in manager or reusing one password everywhere, use Chrome's. It generates random passwords, it fills them, and it costs nothing to start today.

A dedicated app like Bitwarden or 1Password earns its spot when:

  • You mix ecosystems, like an iPhone in your pocket and a Windows laptop at the front desk.
  • You need to share a login with an employee without texting it to them.
  • You want to store more than logins: the Wi-Fi password, the alarm code, software licenses.

Bitwarden has a free tier that covers most solo owners. Paid plans on either run a few dollars a month. For a two person shop, sharing is the feature that decides it. The day your front desk person needs the Instagram login, you share it inside the app and revoke it later, instead of it living forever in a text thread.

Full disclosure: I built a small offline vault into my own free app, Aldo's Toolkit, and I use it for personal codes. It is local only on purpose, no sync, so for a business with staff I still point people to Bitwarden or 1Password. The right tool is the one your employee can also use.

The recovery plan everyone skips

The hour of work is not installing an app. It is this part.

  1. Pick a master password that is long, not clever. Four random words beats Salon2026!.
  2. Write the master password on paper. Yes, paper. Keep it somewhere a burglar would not care about, like inside your business documents or a safe at home.
  3. If your manager offers an emergency kit, print it and store it with that paper. 1Password gives you one when you sign up.
  4. Turn on two factor authentication for your email first, then your bank, and save the backup codes inside the vault.
  5. Change the big four today: email, bank, Instagram or Facebook, and your booking or point of sale system. Migrate the rest as you log in over the next month.

Your email deserves the most care, because every forgot password link on the internet goes there. Whoever controls your email controls everything downstream. If you only fix one account this week, fix that one.

I look for this kind of thing when I review local business websites. If you run a shop around Heber or Park City and want a second set of eyes, I do a free 24-hour site audit, three real findings, yours to keep either way. Start at /audit.

$ share

community rating

$ ls ./comments

sign in or create an account to rate and comment.

no comments yet, be first.