Why passwords matter
A weak password is the simplest way to access personal data. No complicated hack, no advanced technique - just logging in with a guessed or stolen password. Research shows that weak or reused passwords are involved in more than 80% of successful attacks on business systems.
The GDPR requires in Article 32 that you take “appropriate technical and organisational measures” to protect personal data. A good password policy is one of the cornerstones.
The five ground rules
1. Use a password manager
This is the most important step you can take. A password manager generates strong, unique passwords for each system and remembers them for you. Your team only needs to remember one strong master password.
Good options for SMEs:
- Bitwarden - open source, free for individual use, affordable business plan
- 1Password - user-friendly, strong business plan with team functionality
No Excel files, no shared notes, no passwords in emails.
2. Enable 2FA everywhere
Two-factor authentication (2FA) adds a second verification layer alongside your password - usually a code on your phone or a hardware key. Even if a password is stolen, an attacker cannot log in without that second factor.
Enable 2FA on:
- Email (Google Workspace, Microsoft 365)
- CRM systems
- Accounting software
- Cloud storage (Google Drive, Dropbox, OneDrive)
- Company social media accounts
Make it mandatory, not optional. Check that everyone has actually activated it.
3. Minimum 12 characters
The days of 8-character passwords are over. Current guidelines recommend at least 12 characters. A passphrase works excellently: four or five random words together, like “umbrella-bicycle-coffee-tuesday”. Long, strong, and still memorable.
With a password manager, length is no longer an issue since you don’t need to remember the passwords.
4. Never reuse
Every system gets a unique password. If you use the same password for your email, CRM, and accounting software, only one system needs to be hacked to gain access everywhere.
This is exactly why a password manager is so important. Nobody can remember dozens of unique 16-character passwords, but a password manager does so effortlessly.
5. Change after a breach, not on a schedule
The old advice to change passwords every 90 days is outdated. Research shows that mandatory regular changes lead to weaker passwords: people choose predictable patterns (January2024!, February2024!) or write the new password on a sticky note.
Change passwords only when:
- There has been a data breach
- You suspect a password has been compromised
- An employee leaves (for shared accounts)
Common mistakes
The sticky note on the monitor. The classic image: a strong password neatly written on a yellow note next to the screen. All effort for nothing.
The shared account. “We all use the same login for the CRM.” Result: you can’t trace who did what, and when an employee leaves, everyone needs to change their password.
“Welcome123” as default password. New employees get a default password they should change “later”. Spoiler: it doesn’t happen.
Passwords in WhatsApp or email. “Can you send me the accounting system password via WhatsApp?” Those messages stay on phones that aren’t encrypted, in chats that aren’t cleared.
Password only, no 2FA. A password alone is not enough. With phishing or a leaked password, the door is wide open if there’s no second factor.
How to implement it
- Choose a password manager and roll it out for the entire team
- Enable 2FA on all systems containing personal data
- Set minimum requirements: 12 characters, unique per system
- Communicate the policy clearly to your employees
- Check compliance - enable mandatory 2FA where possible and verify that everyone actually uses the password manager
GDPRWise helps you map and document your security measures. From password policy to access management, everything in one place.