April 2026
AI Isn’t Just Getting More Expensive. It’s Getting Metered.
World Password Day is a useful reminder that some of the simplest security habits are still some of the most important.
Passwords may not feel exciting, but they remain one of the most common ways people access business systems, cloud platforms, email, banking, files, and customer information. When passwords are weak, reused, shared informally, or left sitting in old accounts, they create unnecessary risk.
The good news is that password security does not need to be complicated. A few consistent habits can make a real difference.
Most people have more accounts than they can realistically remember. Work systems, Microsoft 365, accounting software, banking portals, CRM platforms, supplier portals, social media accounts, personal logins, and shared team tools all add up quickly.
That is where bad habits start to creep in.
People reuse the same password. They make small changes to an old password. They store passwords in browsers, spreadsheets, notebooks, Teams chats, or emails. Sometimes passwords are shared between staff because it seems faster at the time.
The issue is not that people are careless. The issue is that the old way of managing passwords no longer matches how many accounts businesses now rely on.
Every important account should have its own password. Reusing passwords across multiple accounts is one of the biggest risks, because if one service is breached, attackers may try the same username and password elsewhere.
A strong password should be long, hard to guess, and not based on personal information. Avoid names, birthdays, business names, pets, sports teams, suburbs, or predictable patterns.
But the real answer is not asking people to memorise dozens of complex passwords. That approach does not work well in practice.
The better approach is to use a password manager.
A password manager allows you to store strong, unique passwords for each account without having to remember them all.
At Layer3, we use and recommend Keeper as a password management platform. It helps businesses move away from risky habits such as shared spreadsheets, reused passwords, browser-saved credentials, and passwords being sent through email or chat.
A good password manager can help with:
For a business, this is not just about convenience. It is about control. If a staff member leaves, changes role, or no longer needs access to a system, the business needs a clean way to manage that access.
A strong password is important, but it should not be the only line of defence.
Multi-factor authentication, or MFA, adds another step when signing in. This might be an authenticator app, security key, passkey, or another approved method.
MFA helps protect accounts even if a password is guessed, stolen, or exposed in a breach. It is especially important for email, Microsoft 365, banking, remote access, admin accounts, password managers, and any system containing sensitive business information.
Not all MFA methods are equal. SMS codes are better than having no MFA, but authenticator apps, security keys, and passkeys are stronger options where available.
The key point is simple: if an account supports MFA, turn it on.
Old accounts are easy to forget about, but they can still create risk.
Businesses should regularly review:
If an account is no longer needed, remove it. If it is still needed, make sure it has a strong unique password, MFA, and a clear owner.
This is especially important when staff leave the business. Offboarding should include more than disabling email. It should also include reviewing third-party systems, shared credentials, password vault access, admin rights, and any systems that sit outside the main Microsoft 365 environment.
Sometimes teams need shared access to a supplier portal, marketing account, device admin login, or other business system. The risk comes from how those credentials are shared.
Passwords should not be sent through email, Teams, text messages, Word documents, spreadsheets, or sticky notes.
A password manager gives the business a better way to share access while keeping control over who can see, use, edit, or manage credentials. This also makes it easier to remove access later without changing every password manually or guessing who still has a copy.
For those that are not managed by a MSP like ourselves, you want to prioritise – start with the accounts that can cause the most damage.
These include:
These accounts should have strong passwords, MFA, limited access, and regular review. Admin rights should only be given to people who genuinely need them.
Password security should not be a once-a-year activity. World Password Day is a good prompt, but the real value comes from making these habits part of normal operations.
That means:
Good security is not about making life harder for staff. It is about putting the right systems in place so the secure way is also the easy way.
Use World Password Day as a prompt to check the basics:
If you cannot confidently answer yes to these, it is worth taking action.
Layer3 helps businesses across New Zealand improve their security posture with practical controls that work in the real world.
Password management, MFA, account reviews, staff offboarding, security awareness training, and access control are all part of building a safer business environment.
World Password Day is a good reminder, but better password security should be part of how your business operates every day.
