Password Security: What Canadian Businesses Get Wrong
Passwords remain the primary way most businesses control access to their systems. Despite this, password practices at many Canadian small businesses are outdated, ineffective, or both.
The Most Common Mistakes
1. Forcing Regular Password Changes
Many organizations still require employees to change passwords every 30, 60, or 90 days. This practice is no longer recommended by the Canadian Centre for Cyber Security, NIST, or Microsoft.
Why? Because forced rotation leads to predictable patterns. Employees create passwords like Company2025! then change them to Company2026!. This is worse than keeping a strong password indefinitely.
What to do instead: Change passwords only when there is evidence or suspicion of compromise. Monitor for breached credentials using services like Have I Been Pwned.
2. Short Minimum Length Requirements
A minimum of 8 characters is no longer adequate. Modern password cracking tools can brute-force short passwords in minutes.
What to do instead: Require a minimum of 12 characters, and encourage passphrases — longer strings that are easier to remember but harder to crack. "correct-horse-battery-staple" is far stronger than "P@ssw0rd!".
3. No Password Manager
When employees are expected to maintain unique, complex passwords for dozens of systems without a password manager, they inevitably reuse passwords. Password reuse is one of the most exploited vulnerabilities in small business security.
What to do instead: Deploy a company-wide password manager. Options like Bitwarden, 1Password, or Keeper provide secure password generation and storage with team management features.
4. Relying on Passwords Alone
Even the strongest password can be stolen through phishing or a data breach at a third-party service. Passwords alone are not enough.
What to do instead: Implement multi-factor authentication (MFA) on all critical systems, especially email, cloud services, VPN, and admin accounts. MFA is the single most effective measure you can take to prevent unauthorized access.
The Modern Password Policy
A strong password policy for a Canadian SMB in 2026 looks like this:
- Minimum 12 characters, passphrases encouraged
- No scheduled rotation — change on suspected compromise only
- Company password manager provided to all employees
- MFA enforced on all critical systems
- Breach monitoring for compromised credentials
- Unique passwords for every account (enforced via the password manager)
How Does Your Business Compare?
Our free assessment evaluates your password and authentication practices against the Canadian Centre for Cyber Security's Baseline Controls (BC.5 — Authentication). It takes under 30 minutes and provides specific recommendations.
Disclaimer: This article is intended for general informational purposes only and does not constitute professional cybersecurity, legal, IT, or compliance advice. While we strive to ensure accuracy, the cybersecurity landscape changes rapidly and information may become outdated. Organizations should consult with qualified cybersecurity professionals and legal counsel to assess their specific situation and develop appropriate security policies. Use of this information is at your own risk. See our Privacy Policy for more information.
Cybersecurity Canada is an independent resource and is not affiliated with, endorsed by, or connected to the Canadian Centre for Cyber Security, the Communications Security Establishment, or the Government of Canada.
How does your organization measure up?
Take our free cybersecurity assessment based on the Canadian Centre for Cyber Security's Baseline Controls. 50 questions, under 30 minutes, 100% confidential — your answers never leave your browser.
Take the Free Assessment