Your business almost certainly forces employees to change their password every 90 days. It probably requires an uppercase letter, a number, and a special character. Both of those rules were considered best practice for two decades.
Both are now formally recommended against by the federal government, and they are making your business less secure rather than more.
This is not a fringe opinion. It is the current position of the National Institute of Standards and Technology, and it has been building for years. If your password policy still looks the way it did in 2015, you are not being cautious. You are following guidance that the evidence has since overturned.
What Changed
NIST finalized Special Publication 800-63B-4 on July 31, 2025, superseding the previous revision the following day. It is the most significant update to federal password guidance in nearly a decade, and it closed the door on rules that earlier versions had merely discouraged.
Why the Old Rules Backfired
The logic behind 90-day rotation seemed airtight: change passwords often, and a stolen one has a short shelf life. The reasoning failed because it modeled passwords as a math problem rather than a human one.
What people actually do when forced to rotate is entirely predictable. Summer2025! becomes Summer2026!. Password1 becomes Password2. The pattern is so consistent that attackers explicitly account for it, and it makes things worse in a specific way: once any version of the password has appeared in a breach, every future version is trivially guessable. Rotation converted a single compromised credential into a permanently compromised account.
The rest of the fallout is familiar to anyone who has walked through an office. Sticky notes under keyboards. A spreadsheet named passwords.xlsx. Simpler base passwords chosen because they have to be memorized four times a year.
Composition rules failed for the same reason. Told to add a special character, people add an exclamation point at the end. Told to add a number, they add a 1. The rule does not increase entropy in practice, because everyone satisfies it the same way. Meanwhile it blocks genuinely strong passphrases and pushes users toward frustration, which pushes them toward shortcuts.
NIST's own rationale is blunt about it: length is the primary driver of password strength, and nearly every rule imposed on users degrades the quality of what they choose.
The Compliance Caveat
This matters for our regulated clients, so it is worth being precise.
NIST 800-63B is guidance. It is binding on federal agencies, and it is the reference standard nearly everyone else builds against. It is not, by itself, law for a private business.
Where a specific regulation still mandates rotation, the regulation wins. Some healthcare requirements, certain government contracts, and some cyber insurance questionnaires still ask for periodic change. If your auditor requires it, do it and stop reading this section.
The picture is shifting, though. PCI DSS 4.0 now offers an alternative to the traditional 90-day change requirement when dynamic analysis of account security posture is in place. Other frameworks have moved similarly, evaluating whether access controls are effective rather than prescribing a rotation cadence.
The practical answer for most businesses is to align with NIST, document the risk-based rationale for the decision, and be able to show an auditor the compensating controls: length requirements, blocklist screening, and phishing-resistant MFA. That documentation is the deliverable. We handle it as part of compliance management, and our PCI and HIPAA compliance best practices guide covers the broader framework.
What Actually Works
Four things, in order of impact.
Length over complexity. A long passphrase beats a short scramble, and people can actually remember it. correct horse battery staple style passphrases are both stronger and easier than P@ssw0rd!. Set the floor at 15 characters where you can, accept 64, and stop dictating what characters go in them.
Blocklist screening. This is the highest-value control on the list and the one almost no small business has. Every new password gets checked against a list of common and known-breached credentials at the moment it is created. If it appears, it gets rejected. This single control does more than composition rules ever did, because it targets the actual failure mode: people choosing passwords that are already in an attacker's dictionary.
MFA everywhere it fits. Length and screening reduce the odds a password gets guessed. Multi-factor authentication reduces what an attacker can do with one they already have. These are complementary, not alternatives. Worth noting that MFA is not absolute either, as our coverage of QR codes being exploited to bypass MFA shows.
A password manager. Rotation stopped being necessary. Uniqueness did not. Every account still needs its own password, and no human being can do that across 80 accounts without help. The password manager is what makes the rest of the policy achievable rather than aspirational.
The Problem Nobody Puts in the Policy
Formal policy governs the passwords employees choose for themselves. It does not touch the ones they share, and shared credentials are where most small businesses actually bleed.
Every business has these:
- The one admin account four people use, whose password has not changed since the person who created it left
- The vendor portal login shared across the accounting team, sitting in a Slack message from 2023
- The company social media password on a whiteboard
- The credentials for the tool the marketing person set up, which nobody else has, and which will become an emergency the week they take vacation
- The spreadsheet, which is the single most common credential management system in American small business
None of this appears in the policy document, and all of it is the real attack surface. A shared credential has no owner, no rotation trigger when someone leaves, and no audit trail when it gets used. It is a permanent, untracked key.
This is the actual reason a business needs a password management platform, and it has almost nothing to do with individual password strength.
What a Business Password Manager Actually Does
It gets sold as a vault. The vault is the least interesting part.
Shared vaults with real access control. Credentials get shared by role, not by Slack message. When someone changes teams, their access changes with them.
Revocation that works. When an employee leaves, you remove their access and every shared credential they had is gone from their possession. Compare that to today, where offboarding an employee who knew the shared admin password means changing the shared admin password and hoping you remembered every place it was used.
Visibility. You can see which credentials are weak, which are reused across accounts, and which have appeared in a breach. Most businesses have never had this view and are surprised by it. Reuse is always worse than leadership expects.
Breach integration. Good platforms check stored credentials against breach data continuously, which pairs directly with dark web monitoring. Monitoring tells you a credential leaked. The manager tells you everywhere that credential was used, which is the question you actually need answered at 2am.
Audit trail. For regulated businesses, knowing who accessed which credential and when is the difference between a control and a claim.
Secure onboarding. New hires get the right credentials on day one without anyone emailing a password.
Offboarding Is the Whole Ballgame
If you take one operational point from this article, take this one.
The most common credential failure in small business is not a weak password. It is a departed employee who still has working access to something. Personal accounts get disabled during offboarding because they are in a checklist. Shared credentials do not, because nobody knows the full list.
A former employee with a live vendor portal login is a problem that persists indefinitely and surfaces at the worst possible time. Our MSSP security operations guide covers the monitoring side, but the structural fix is having every shared credential in a system that knows who has it.
Privileged Accounts Deserve More
Not every credential carries the same risk. The domain admin account, the account with financial authority, the credential that can reconfigure your firewall, and the one holding your backups all deserve stricter treatment than a login for a marketing tool.
That means separate accounts for administrative work rather than admin rights bolted onto daily-use accounts, stronger authentication on those accounts specifically, and monitoring of when they are used. This is the Zero Trust principle applied to credentials: assume any given password may already be compromised and design so that it does not matter much. Our Zero Trust guide for small businesses walks through the broader model.
Where It Fits
Password management is one layer in a credential security posture that includes MFA, breach monitoring, security awareness training, and access governance. Alone it is a convenience tool. Wired into the rest, it is what makes a stolen credential a non-event.
The goal was never perfect passwords. It is making passwords matter less.
Common Questions
How often should employees change their passwords?Only when there is evidence of compromise, according to current NIST guidance. Mandatory periodic rotation is now advised against because it produces predictable incremental changes like Summer2025 becoming Summer2026, which provide no real security benefit and can make a previously breached password easier to guess. If a specific regulation still requires rotation for your business, follow the regulation.
Does NIST still require special characters and numbers?No. NIST advises against imposing composition rules. Requiring specific character types leads users to predictable patterns that do not meaningfully increase strength, while blocking strong passphrases. Length and blocklist screening are the recommended replacements.
What is the minimum password length NIST recommends?Eight characters is the required minimum, with 15 characters recommended, and systems should accept passwords of at least 64 characters so passphrases work.
Does my business really need a password manager?If your team shares any credentials, yes. The strongest argument is not individual password strength. It is that shared credentials have no owner, no revocation path when someone leaves, and no audit trail. A spreadsheet cannot do those things.
Is a password manager safe? What if it gets breached?It concentrates risk, which people rightly ask about. The honest comparison is against the alternative, which is credential reuse across dozens of accounts, passwords in spreadsheets, and shared logins in chat history. A reputable platform with zero-knowledge encryption and MFA on the vault is a substantially better risk position than the status quo it replaces.
Do we still need passwords if we have MFA?For now, yes, though the direction of travel is toward phishing-resistant authentication like passkeys that reduce the password's role. MFA and password hygiene solve different problems. MFA limits what a stolen password enables. Good password practice limits how often one gets stolen in the first place.
Should we let employees use their personal password manager?No. A personal manager has no administrative visibility, no revocation when they leave, and no audit trail. When they depart, the credentials leave with them.
Fixing This Is Not Expensive
Password management is one of the lowest-cost, highest-return security controls available to a small business. The obstacle is rarely budget. It is that nobody owns it, so the spreadsheet persists and the shared admin account keeps working for people who left two years ago.
Harbour Technology Consulting has helped businesses across Dayton, Cincinnati, Columbus, and Indianapolis modernize credential practices for more than 20 years, including banking, healthcare, and manufacturing environments where the policy has to satisfy an auditor as well as an attacker.
Contact us for a credential security assessment, or call (937) 428-9234.
Related Reading
- Dark Web Monitoring for Business: What It Finds and Why It Matters
- Zero Trust Security Guide for Small Businesses
- Empower Your Team with Cybersecurity Best Practices Training
- PCI and HIPAA Compliance Best Practices Guide
- Comprehensive Cybersecurity Risk Assessment Guide
- QR Codes Exploited to Bypass MFA Protections






