Passwords remain a major weak link in cybersecurity. Whether it's reusing the same password across multiple sites or falling for phishing attacks, poor password hygiene continues to fuel data breaches. To combat this, the National Institute of Standards and Technology (NIST) has updated its cybersecurity framework, including new guidance on password security best practices.
For manufacturers, suppliers, and anyone handling sensitive business data, these updates provide a roadmap to stronger password policies without sacrificing usability. Here are the key takeaways and what they mean for your organization:
1. Stop Expiring Passwords Arbitrarily
IT policies have forced users to change passwords every 60or 90 days for years. However, research shows that frequent password resets lead to weaker passwords, as users tend to make only small, predictable changes. NIST now recommends only requiring password changes if there is evidence of compromise (such as a breach or suspected account takeover).
💡 Action: Update your internal policies to eliminate unnecessary password resets and instead focus on detecting compromised credentials.
2. Length Beats Complexity
Many password policies still enforce complexity rules — requiring uppercase letters, numbers, and special characters — but these rules often encourage weak, hard-to-remember passwords like "P@ssw0rd123!" Instead, NIST recommends prioritizing longer passphrases (e.g.,"CorrectHorseBatteryStaple").
💡 Action: Set a minimum password length of 12–16 characters and encourage users to use passphrases instead of short, complex passwords.
3. Ban Common and Compromised Passwords
Users frequently choose weak passwords, like "123456" or "qwerty". Even complex passwords become useless if they’ve been exposed in data breaches. NIST recommends blocking passwords found in known breach databases and preventing users from selecting commonly used passwords.
💡 Action: Use a password filtering service, such as Have I Been Pwned’s API, to check for compromised passwords in real time.
4. Say Goodbye to Secret Questions
Security questions (like "What’s your mother’s maiden name?") were once a popular backup method for account recovery. However, attackers can often guess or find these answers online, making them unreliable. NIST advises against using them as a security measure.
💡 Action: Disable security questions as an authentication method and require more secure recovery options, such as multi-factor authentication or email-based verification.
5. Multi-Factor Authentication (MFA) Is a Must
NIST strongly recommends enabling multi-factor authentication (MFA) to protect accounts from unauthorized access. However, SMS-based authentication is no longer considered sufficient due to SIM-swapping attacks.
💡 Action: Require phishing-resistant MFA, such as hardware security keys (FIDO2/WebAuthn) or authenticator apps (Duo, Google, or Microsoft Authenticator).
6. Password Managers Are Encouraged
Since users struggle to create and remember strong passwords, NIST encourages organizations to promote the use of password managers. These tools generate, store, and autofill strong passwords, reducing reliance on human memory and eliminating the temptation to reuse passwords.
💡 Action: Provide employees with enterprise-grade password managers (such as 1Password, Bitwarden, or Dashlane) and integrate them into your IT policies.
How PMMI Members Can Strengthen Password Security
As cybersecurity threats evolve, so should your organization’s approach to password security. NIST’s updated guidelines help eliminate outdated, ineffective policies and replace them with practical,security-first best practices.
✅ Eliminate administrator-forced password resets unless evidence of compromise exists.
✅Require longer passwords or passphrases instead of enforcing complexity rules.
✅Block breached or common passwords using filtering tools.
✅Ditch security questions and upgrade recovery methods.
✅Mandate MFA — preferably phishing-resistant authentication.
✅Deploy password managers to reduce password fatigue and reuse.
By implementing these changes, manufacturers and suppliers can reduce password-related risks significantly and strengthen their overall cybersecurity posture.
Have questions about improving cybersecurity in your organization? Stay tuned to PMMI CyberHealth for the latest industry insights!
