Most small business password policies were written based on guidance that's over a decade old. The National Institute of Standards and Technology (NIST) — the body that sets cybersecurity standards for the US — updated its recommendations significantly, and the old rules didn't make the cut.

Here's what's actually broken, and what to do instead.

01 Mandatory 90-day resets backfire

The logic seemed sound: if attackers steal your password, forcing regular resets limits how long it stays useful. The problem is how humans actually behave under that pressure. When employees are forced to change passwords constantly, they make predictable changes — Summer2024! becomes Fall2024! becomes Winter2025! — or they start cycling through a small rotation of passwords they reuse across accounts.

NIST now recommends only requiring password changes when there's evidence of compromise, not on a fixed schedule. Length and uniqueness matter far more than rotation frequency.

Outdated policy

  • Reset every 90 days
  • Must include capital + number + symbol
  • Cannot reuse last 5 passwords
  • Max 12 characters

NIST 2025 guidance

  • Change only when compromised
  • Length over complexity
  • Use a password manager
  • Enable MFA everywhere

02 Complexity requirements create weak passwords

When you tell people their password must contain an uppercase letter, a number, and a special character, they do the minimum required: they take a word they already know and apply the same predictable modifications. Password1! meets most complexity requirements and is trivially crackable.

Length is the real security lever. A 16-character passphrase made of four random words — something like "correct-horse-battery-staple" — is orders of magnitude harder to crack than an 8-character password full of substitutions, and far easier to remember.

Password strength comparison
P@ssw0rd!Weak — cracked in seconds
Tr0ub4dor&3Moderate — but memorable
coffee-lamp-river-41Strong — length wins
[password manager generated]Best — random, unique, stored safely

03 Password reuse is the real epidemic

The most common way business accounts get compromised isn't a sophisticated hack — it's credential stuffing. Attackers take username/password combinations leaked from one breach (LinkedIn, Adobe, Dropbox — all have had massive breaches) and automatically try them against Microsoft 365, banking portals, and business applications.

If your employee uses the same password for their work email and a breached website, your business email is compromised the moment that breach data hits the dark web. Unique passwords for every account are non-negotiable. The only practical way to achieve this is a password manager.

Check your exposure: Visit haveibeenpwned.com and enter your business email domain. You may find your employees' credentials have already been leaked in past breaches you never knew about.

04 The fix: password manager + MFA

These two controls together eliminate the vast majority of password-related breaches. A password manager generates and stores a unique, random, long password for every account — your employees only need to remember one master password. It removes all the human behavior problems: reuse, weak complexity substitutions, predictable patterns.

Multi-factor authentication (MFA) adds a second layer so that even if a password is stolen, it can't be used without access to your phone or an authenticator app. Enable it on every account that supports it — especially Microsoft 365, Google Workspace, banking, and your line-of-business applications.

Bottom line: A password manager costs around $3–5 per user per month. A single credential-based breach for a small business costs an average of $108,000 in downtime, remediation, and data recovery. The math is simple.