Task 4: Use Your Password Manager to Generate & Store Strong Passwords

Now that you’ve set up your password manager, it’s time to put it to work!

In this task, you’ll begin generating strong passwords, updating your existing accounts, and securely storing them in your vault.

This is the first step where your small business’ cybersecurity posture will take a major leap forward. Weak, reused, and forgotten passwords are one of the biggest security gaps in small businesses—but by the end of this task, you’ll have a secure and efficient system in place.

One thing to keep in mind is that you’ll probably want to install a browser extension to facilitate using your password manager for all of your website and web application logins. So do this first if you haven’t already.

Step 1: Prioritize Your High-Risk Accounts First

You don’t need to overhaul every single password immediately. Start with the accounts that pose the greatest risk if compromised:

  • Email accounts (especially business email)
  • Financial accounts (banking, payroll, accounting)
  • Cloud services (Google Workspace, Microsoft 365, etc.)
  • Critical SaaS platforms (CRM, project management tools, etc.)
  • Admin accounts on any business systems

Reset these accounts first with new, strong passwords generated by your password manager. Once you start using your password manager, you’ll quickly recognize how efficient it is. After all, you’ve already done the hard work of setting it up and learning how to use it!

Step 2: Use the Password Manager’s Generator Tool

Most password managers have a built-in password and passphrase generator. Use it to create strong passwords that are:

  • At least 16 characters long (more is better)
  • A mix of letters, numbers, and symbols
  • Unique for every account

Passphrases can also be a good option for accounts that you frequently need to type manually—but random strings offer the strongest protection where auto-fill is available. On the other hand, length is far more important than complexity!

Step 3: Store Passwords Securely in the Vault

When you reset an account’s password, immediately store the new password in your password manager vault. The exact workflow for generating and saving passwords can vary depending on the password manager you’re using, but the goal is always the same: don’t lose track of the new password during the reset process.

One simple approach is to temporarily use a plain text editor like Notepad to hold the password just for a moment while you complete the reset steps. Here’s a workflow that works well:

  1. Generate a New Password — Use your password manager’s built-in generator.
  2. Copy It to a Temporary Notepad File — This acts as a quick “scratchpad” so you can easily copy it again if needed.
  3. Update the Password on the Account — Paste the new password into the application or website where you’re resetting it.
  4. Save the Password in the Vault — Immediately create or update the corresponding entry in your password manager, ensuring you record the correct username or email address.
  5. Test the Login — Log out and then log back in using the password manager to verify everything works correctly.
  6. Delete the Notepad File Immediately — Once verified, close and securely delete the notepad file to eliminate any chance of leftover sensitive data.

💡Pro Tip: Some password managers offer a “clipboard history” or “clipboard lock” feature that automatically clears copied passwords after a few minutes. If available, this is a safer alternative than using a notepad.

For better organization, many password managers allow you to create folders or tags within your password manager (like “Banking,” “Business Tools,” “Email,” etc.). This makes searching and managing your passwords easier as your vault grows.

Step 4: Clean Up Weak & Reused Passwords Over Time

After updating your high-risk accounts, gradually work through other accounts as you log into them. Whenever you access an account, check if it’s using a weak or reused password and take a moment to update it.

Some password managers can also scan for weak, reused, or compromised passwords, which can be a helpful feature. The real key is to 1) start using the password manager for every login, and 2) assume that any passwords not loaded into the manager are weak. In other words, follow the above process for all logins just to be safe.

Step Five: Don’t Forget Your Computer Login

When we think of passwords, we often focus on online accounts and forget that your computer’s login password is one of the most critical keys to your business. If an attacker gains access to your device, they could bypass many of your other security measures—making your local login a vital line of defense.

Here’s how to ensure your computer login is secure:

Use a memorable passphrase: Like your master password, your computer login should be something you can reliably remember. Since your password manager can’t auto-fill this, we recommend a 5-6 word passphrase. This strikes a balance between strong security and ease of recall.

Store it securely in your password manager: Even though you’ll likely memorize it, storing it in your vault ensures you have a backup if you ever forget.

Keep a physical backup: Just like your master password, you may want to write down a copy and store it in a secure, locked location in case you’re ever locked out.

Make it strong and unique: Never reuse a password from another account – and never use the same password on two computers! This password guards the front door to all of your files and data—treat it with the same care as your online accounts.

Pro Tip: On macOS and Windows, you can configure your system to use an additional form of authentication (like a PIN or biometrics) before auto-filling the device login—adding another layer of protection while making the login process much easier.

Why This Matters

Password reset and integration is often the most tedious part of improving security—but it’s also where the best place to start. By taking the time to ensure that your business accounts are protected by strong, unique passwords, you’re eliminating one of the biggest attack vectors that cybercriminals exploit.

Once this process is complete, you’ll be in a much stronger position to face down phishing attempts, credential stuffing attacks, and data breaches involving old passwords.