Practical change management

Password123 Must Die: The Team Conversation

How to change your security culture without losing your staff

---

I knew we had a problem when I found Kev's password written on a Post-it note stuck to his monitor.

"Password123."

He'd added an exclamation mark at the end because the system made him include a special character. "Password123!" He was genuinely proud of that workaround.

This is the conversation every small business owner dreads. The one where you tell people who've been doing things their way for years that their way isn't good enough anymore. The one that can turn your team against you faster than a pay cut.

Here's how we did it without causing a mutiny.

Start With Why (And Make It Personal)

Nobody changes behaviour because of abstract threats. "Hackers might target us" means nothing to someone who's been using the same password since 2015.

You need to make it real.

I gathered everyone together and told them about a business I'd heard of - similar size to ours, similar industry - that got hit by ransomware. Locked out of everything. Customer data gone. Three weeks to recover. Nearly finished them.

Then I said: "If that happens to us, we don't have three weeks of cash reserves. We'd be done. All of us. No jobs. No wages. No Simpson & Sons."

Suddenly it wasn't about IT policy. It was about their mortgages.

Acknowledge the Pain

Here's what most IT people get wrong: they act like good password practice is easy and anyone not doing it is an idiot.

It's not easy. It's annoying. Remembering multiple complex passwords for different systems is genuinely difficult, especially if you're not someone who lives on computers all day.

I said that out loud. "I know this is a pain. I know you've got a system that works for you. I know I'm asking you to change something that feels unnecessary. I'm asking anyway, because I need to keep this business - and your jobs - safe."

Acknowledging the inconvenience before asking for change took half the resistance out of the room.

Give Them Tools, Not Just Rules

"Use complex unique passwords for everything" is useless advice if you don't help people actually do it.

We introduced a password manager. One master password to remember, and the software handles everything else. Danny set it up on everyone's machines, sat with each person individually, walked them through it.

Kev took the most convincing. "I don't trust computers to remember things for me." Danny showed him how it worked, let him practice, answered every question without making him feel stupid.

By the end of the week, Kev was showing Sandra a feature she hadn't discovered yet. Convert your biggest sceptic and they become your biggest advocate.

Make the First Week Easy

We didn't change everything at once. First week: just get the password manager installed and get everyone's existing passwords into it. That's it. No pressure to change anything yet.

Second week: start updating the critical systems. Email. Accounting software. Customer database. Danny helped anyone who needed it.

Third week: everything else. By then, people had the hang of it. The tool was familiar. The fear was gone.

Gradual change beats sudden upheaval every time.

Create Peer Support

Sandra picked it up fastest. Within days she was helping others without being asked. We leaned into that.

"If you're stuck, ask Sandra or Danny before you come to me" took the pressure off and created a support network. People are more likely to admit they're struggling to a colleague than to the boss.

Now we have a culture where asking for help with tech stuff is normal. No shame, no judgement. That's worth more than any policy document.

Handle the Holdouts With Care

There's always one. For us, it was actually our part-time driver, Malcolm. Sixty-four years old, barely uses the computer, couldn't see why any of this applied to him.

Instead of forcing the issue, Danny found out which systems Malcolm actually needed access to. Turned out it was just email and the delivery scheduling app. Two passwords. That's it.

We set him up with the password manager for just those two things. Simple. Manageable. Met him where he was instead of where we wanted him to be.

Not everyone needs the full solution. Tailor it to the person.

Celebrate the Wins

When we passed our Cyber Essentials assessment, I made a point of telling everyone that password security was one of the areas we'd scored well on. Because of them. Because they'd changed.

Small celebration. Biscuits in the break room. A genuine thank you.

People need to know that the pain led to something. That their effort mattered. Otherwise, why would they bother next time you ask them to change?

The Ongoing Battle

Password security isn't a one-time fix. It's a culture.

We do quarterly refreshers now. Quick sessions where Danny shares the latest scams, reminds people of best practice, answers questions. It's become routine. Normal. Just part of how we work.

Kev still grumbles occasionally. But his passwords are strong, unique, and nowhere near a Post-it note. That's victory.

What Actually Worked

Looking back, these were the things that made the difference:

Made it personal. Jobs and livelihoods, not abstract threats.

Acknowledged the difficulty. Respected their existing habits before asking for change.

Provided tools. Didn't just demand better passwords - gave them a way to manage them.

Went gradual. One week at a time, not everything at once.

Created peer support. Sandra and Danny as first responders, not just me lecturing.

Tailored to individuals. Malcolm got a simpler version. That's fine.

Celebrated success. Made sure they knew it mattered.

Password123 Is Dead

It took about a month to fully embed. A month of patience, support, and occasional hand-holding.

But Password123 is dead at Simpson & Sons. So is Summer2019. So is the name of Kev's dog followed by his birth year.

In their place: strong, unique, properly managed passwords across every system.

And not a single mutiny.

---

Jim Simpson is an SME Cyber Resilience Consultant with TransCrypt. Kev has asked us to confirm that his dog is called Buster and is "a very good boy regardless of password implications."