Password management is one of the most basic but most frequently neglected aspects of cybersecurity in accounting firms. Weak, reused, or shared passwords are the most common route to unauthorised access to cloud accounting software, email accounts, and practice management systems ā€” all of which contain highly sensitive client financial data.

This guide covers password best practice for accounting practices, how to implement a password manager, and why multi-factor authentication (MFA) must accompany good password hygiene.

Why password security matters for accounting practices

Accounting firms are high-value targets for cybercriminals. They hold financial data, tax records, payroll information, and personal identifiers for multiple clients in one place. A single compromised email account can expose years of client correspondence and the documents attached to it. A compromised cloud accounting login can give an attacker access to all clients visible in that account.

The most common attack methods for compromising accounts are:

Credential stuffing: attackers use lists of username and password combinations leaked from data breaches at other websites and try them against accounting software and email platforms. If you reuse the same password across multiple services, a breach at any one of them gives attackers a working credential for all the others.

Phishing: fake login pages that capture your credentials when you try to log in. Sophisticated phishing pages look identical to legitimate login screens and can capture even strong passwords.

Brute force attacks: automated tools that try thousands of password combinations per second against an account. Weak or common passwords can be cracked in minutes.

Multi-factor authentication (MFA) renders credential stuffing attacks largely ineffective ā€” even with the correct password, an attacker cannot log in without the second factor. But MFA does not substitute for good password hygiene; it is a second layer of defence, not a replacement for the first.

Password best practice

Use strong, unique passwords for every service

A strong password is:

  • At least 14 characters long (longer is better).
  • A mix of uppercase and lowercase letters, numbers, and special characters.
  • Not based on personal information (names, dates, addresses).
  • Not a common word or phrase.

A unique password means using a different password for every service. If you use the same password for your Xero account and your email, a breach at either exposes both.

The practical barrier to unique passwords is memory ā€” no one can remember twenty or thirty unique, strong passwords. This is exactly the problem that password managers solve.

Use a password manager

A password manager is software that generates and stores strong, unique passwords for every service you use. You remember one master password to unlock the password manager; the manager remembers everything else.

For accounting practices, a business-tier password manager supports:

  • Individual vaults for personal credentials.
  • Shared vaults for credentials used by multiple team members.
  • Role-based access (the admin can see which shared credentials have been accessed, by whom).
  • Secure sharing of credentials with colleagues (no emailing passwords).
  • Automatic password generation.
  • Browser extensions for auto-fill.

Leading password managers for business use:

1Password Business: popular among professional services firms. Strong security architecture (end-to-end encryption), good admin controls, browser extensions for all major browsers. Competitive pricing per user per month.

Bitwarden Business: open-source password manager with strong security credentials. More cost-effective than 1Password, with a free tier available for individuals. Less polished interface but functionally equivalent.

Dashlane Business: strong security monitoring features including dark web monitoring for exposed credentials. Higher price point than 1Password or Bitwarden.

Keeper Business: enterprise-grade security features, strong admin controls. Well-suited to larger practices with more complex access management requirements.

For any of these, the business tier (rather than individual accounts) is essential so the firm has visibility of which credentials are held, can revoke access when staff leave, and can audit shared credential use.

Change compromised passwords immediately

Most password managers include a breach monitoring feature that alerts you when a credential you store appears in a known data breach. When this happens, change the compromised password immediately. Do not wait to see whether there is any impact ā€” change it first, investigate second.

Reputable cloud services also alert users when suspicious login activity is detected. Act on these alerts promptly.

Multi-factor authentication: layer two

MFA adds a second verification step beyond the password ā€” typically a six-digit code from an authenticator app, a push notification, or an SMS code. Even if an attacker has your password, they cannot log in without the second factor.

Authenticator apps vs SMS

SMS-based MFA (a text message with a code) is better than no MFA but is vulnerable to SIM swapping attacks ā€” where an attacker convinces a mobile carrier to transfer your phone number to a SIM they control. Authenticator app-based MFA (Google Authenticator, Microsoft Authenticator, Authy, 1Password's built-in authenticator) is significantly more secure.

For all critical accounting practice systems ā€” email, cloud accounting software, practice management ā€” use authenticator app-based MFA rather than SMS where the option is available.

Enforcing MFA across the practice

For practices using Microsoft 365 or Google Workspace, MFA can be enforced at the organisational level through the admin console ā€” meaning staff cannot access accounts without completing MFA, regardless of their individual preferences.

For cloud accounting software:

  • Xero: MFA is configurable; Xero Practice Manager can require MFA for all practice staff.
  • QuickBooks Online: MFA is available and Intuit has been progressively making it mandatory.
  • Sage: MFA available across cloud products.

Create a policy that MFA is required for all cloud systems accessed by practice staff, and enforce it technically where the platform allows.

Shared credentials: the hidden risk

Many accounting practices share credentials for some services ā€” a shared email account for a particular service, a shared admin login for a platform, or a single login shared among multiple staff. This creates several problems:

  • If the credential is compromised, you cannot identify which team member was responsible.
  • When a staff member leaves, shared credentials must be changed (and this is often forgotten).
  • The access and audit controls that protect individual accounts do not apply to shared accounts.

Use a business password manager with shared vaults for any credential that multiple team members need to access. The credential is stored securely in the shared vault ā€” no one needs to know the password directly, the manager fills it in. When a staff member leaves, their access to the vault is revoked without needing to change the underlying credential.

Offboarding: revoking access when staff leave

When a staff member leaves the practice, their access to all systems must be revoked promptly ā€” ideally on the day they leave. This includes:

  • Email account (Microsoft 365 / Google Workspace).
  • Cloud accounting software (Xero, QuickBooks, Sage ā€” remove user accounts).
  • Practice management software (Karbon, TaxDome, Iris).
  • Any shared password vaults they had access to.
  • Any personal accounts they used to access practice resources.

Create an offboarding checklist that includes all access revocation steps and assign responsibility for completing it on every departure. For more on AI tools and technology for UK accountants, including how to manage access security across your tech stack, see our AI and Tech hub.

Key takeaways

  • Credential stuffing (using passwords leaked from other breaches) is the most common route to unauthorised access in accounting practices ā€” unique passwords for every service prevent this.
  • A business-tier password manager (1Password, Bitwarden, Dashlane) solves the practical barrier to unique passwords and adds team management, shared vaults, and access control.
  • MFA using an authenticator app is significantly more secure than SMS-based MFA and should be enabled on all critical practice systems.
  • Shared credentials hide individual accountability and create offboarding risk ā€” replace shared logins with shared vault credentials in a business password manager.
  • Include all access revocation steps in a formal offboarding checklist and complete it on the day each staff member leaves.

Frequently asked questions

What is the minimum password length for accounting practice systems?

The NCSC recommends passwords of at least 14 characters for high-value accounts. Longer is always better. For any account holding client financial data ā€” email, cloud accounting software, practice management ā€” 14 characters should be the minimum, with longer passwords generated by the password manager for high-sensitivity accounts. The NCSC also recommends against mandatory complexity requirements (requiring symbols, numbers, etc.) in favour of length, as complexity requirements lead to predictable patterns.

Is it safe to store passwords in a browser's built-in password manager?

Browser-based password managers (Chrome, Safari, Edge, Firefox built-in storage) are significantly less secure than dedicated password managers. They do not provide business management features, cannot easily be revoked when staff leave, do not provide shared vaults with access controls, and have had security vulnerabilities in the past. For personal use they are acceptable; for business use with client data, use a dedicated business-tier password manager.

What should I do if a staff member refuses to use a password manager?

This is a policy compliance issue, not an optional preference. Password management is a security requirement; the consequences of inadequate password hygiene are GDPR breaches, PII claims, and regulatory enforcement. Make clear that use of the practice's password manager is a condition of employment. Provide training on how to use it ā€” most resistance comes from unfamiliarity rather than genuine objection. If a staff member is technically struggling, provide one-to-one support.

How do I manage passwords for clients who share their accounting software login with us?

Where clients share their accounting software credentials with the practice for access purposes, store those credentials in the practice's password manager in a client-specific vault or record. Do not encourage clients to share credentials at all where the software allows proper agent access ā€” Xero and QuickBooks both allow practice access without sharing the client's own login. Where credential sharing is unavoidable, ensure the client is made aware and changes their password after the engagement ends.

Do password managers themselves get hacked?

Password manager providers are high-value targets and have experienced security incidents ā€” most notably the LastPass breach in 2022, which exposed encrypted password vaults. The major business-tier password managers (1Password, Bitwarden, Dashlane) use strong encryption architectures where the master password is never transmitted to or known by the provider. Even in the event of a provider breach, properly encrypted vaults are not accessible without the master password. 1Password's architecture, in particular, adds an additional account secret (a separate random key) that protects vaults even if the master password is compromised.