Your team reuses passwords. All of them do — yours too, probably. A password manager fixes it in an afternoon, and it is the highest-impact security spend you will ever make.
The scale of the problem
Stolen and weak credentials sit behind the overwhelming majority of business breaches — industry studies such as the Verizon Data Breach Investigations Report consistently attribute around 80% of hacking-related breaches to passwords. The Australian Signals Directorate reports a cybercrime incident roughly every six minutes nationally. The common thread in the cases we are called to clean up at Elevate is almost never a sophisticated hack. It is a password that was reused on a website that got breached three years ago.
Why your brain is the weak link
The average person now juggles around 100 online accounts. No human can invent and remember 100 unique, complex passwords, so they do the rational thing: they reuse one or two, with small variations. Attackers know this. They take the billions of username-and-password pairs leaked in past breaches and replay them automatically against banking, email, and Microsoft 365 logins. This is called credential stuffing, and because the passwords are real, traditional defences often do not flag it.
What a password manager actually does
It generates a genuinely random password for every account — typically 16 or more characters — stores them in an encrypted vault, and fills them in automatically. Your team memorises one strong master password and nothing else. Every other credential becomes long, unique, and effectively unguessable. Modern managers also flag reused or breached passwords, store passkeys, and let you share access to shared accounts without ever revealing the password itself.
The business case in numbers
A business-grade password manager costs roughly $5 to $8 per user per month. Compare that to the cost of a single compromised mailbox: industry breach studies put the average cost of a data breach in the millions, and even a contained incident routinely costs a small business tens of thousands in downtime, remediation, and lost trust. The return on a few dollars a month is not close.
How we roll it out
At Elevate we deploy 1Password and Bitwarden for business. The process is simple: provision the team, import existing passwords from browsers, enable the browser and mobile apps, then run a 30-minute training session. Within a week, nobody on the team types a password from memory again. Pair it with multi-factor authentication and you have closed the two doors attackers use most. If you would like a hand, we will set it up and train your team — it is one of the fastest security wins we offer.
The number that should worry you
To grasp the scale, consider the breach-tracking service Have I Been Pwned, which now indexes well over 14 billion compromised accounts from past breaches. Every one of those leaked passwords is fuel for an automated attack against any site where it was reused. Put plainly: if your team has been online for a decade, some of their passwords are almost certainly already in a criminal database, waiting to be tried. A password manager neutralises this overnight, because the random password it created for your Microsoft 365 login exists nowhere else and matches nothing in those dumps. When we onboard a new client at Elevate, a breached-password audit is one of the first things we run — and it is rare to find a business with none. The fix is the same every time, and it takes an afternoon.