EN
EN
Book an introduction
Blog

Password policies for businesses: the basics many SMEs miss

The old password rules are outdated. Find out how modern policies with long password phrases, MFA and passkeys better protect your business.
Post-it met zwak wachtwoord op beeldscherm illustreert verouderd wachtwoordbeleid

TL;DR: The old password rules (change every 90 days, capital letter + number + special character) are outdated and actually make your business more vulnerable. The new NIST standard revolves around long password phrases without mandatory rotation, complemented by a password manager and multi-factor authentication. Under NIS2, an up-to-date password policy is also a legal requirement.

Your employees obediently change their passwords every three months. They neatly add a capital letter, a number and an exclamation point. And yet your accountant’s password is probably “Summer2026!” Recognizable? If so, your company is still working with password rules that have been considered obsolete since 2017. The science is clear: those rules pushed people toward predictable and therefore crackable behavior. This article tells you what a modern password policy looks like, why it frustrates your employees less and better protects your business, and how passkeys will eventually make the password obsolete.

Why the old password rules no longer work

For years, the same formula applied: a minimum of eight characters, at least one capital letter, one number and one special character, and mandatory changes every 90 days. In practice, that produced passwords like “Welcome01!” or “Company@2025.” Employees capitalize the first letter, replace an “a” with “@” or an “e” with “3,” and stick a number behind it. On the mandatory change, they simply increase the number. That pattern is trivially predictable to attackers with brute-force algorithms and word lists.

In July 2025, the National Institute of Standards and Technology (NIST) published the final version of SP 800-63B Revision 4, the international standard for authentication. The conclusions break radically with the old approach. Complexity requirements are no longer recommended because they lead to weaker behavior. Mandatory periodic rotation is abolished unless there is concrete evidence of compromise. Minimum length goes to 15 characters when a password is the only authentication factor. And every new password must be screened against databases of previously leaked login credentials.

Specifically, the password “P@ssw0rd123!” (12 characters, meets all the old rules) is weaker than “my-cat-jumps-over-the-table” (31 characters, no special character, but huge entropy by length). A password phrase that you can remember without a post-it is safer than a cryptic string that you increment with a counter every three months.

The three pillars of modern password management

A modern password policy rests on three interrelated pillars that reinforce each other.

Pillar 1: long password phrases. Set the minimum length to 15 characters and allow spaces. Encourage employees to come up with a random phrase that is meaningful to them but impossible for an outsider to guess. Abolish mandatory rotation: change passwords only when a data breach or compromise is suspected. Screen new passwords against lists of known leaked logins through services such as Have I Been Pwned.

Pillar 2: a business password manager. Even with strong password phrases, it is impossible to remember a unique password for every application. A password manager generates, stores and fills in unique passwords automatically. The result: employees only need to remember one strong master password. The rest the software does.

Pillar 3: multi-factor authentication (MFA). A password alone is insufficient. MFA adds a second layer of authentication, something you have (a smartphone or hardware key) or something you are (a fingerprint). Analysis from Microsoft shows that MFA stops 99.9% of automated attacks on accounts. Make MFA mandatory on all remote access points: email, VPN, cloud applications and all accounts with administrator privileges.

Important: MFA is not a panacea. Attackers are developing sophisticated techniques to circumvent MFA, from SIM swapping to real-time phishing with adversary-in-the-middle toolkits. A recent analysis of these techniques shows why phishing-resistant methods such as hardware keys and passkeys are preferable to SMS codes. But even an imperfect MFA is many times better than no MFA.

Password managers for businesses: what you need to know

A corporate password manager differs from a personal one. You need central management: visibility into who has access to what shared passwords, the ability to revoke access immediately when an employee leaves, and audit logs for compliance purposes.

The market offers several mature solutions. Open-source platforms offer maximum transparency and sometimes the ability to self-host. Commercial solutions often score on ease of use and integration with existing IT environments. For companies already working with Microsoft 365 Business Premium, basic functionality for password management and access security is built in through Entra ID.

When choosing a password manager, note these criteria: support for shared vaults by team or department, integration with your identity provider (such as Microsoft Entra ID), MFA protection on the vault itself, a clear offboarding process, and reporting capabilities for audits.

A common objection is the risk of a “single point of failure.” The LastPass breach of late 2022 illustrates that this risk is real: attackers stole encrypted vaults, and for users with weak master passwords, those vaults could be cracked. The lesson: Your password manager’s master password should be a very long passphrase, and access to the manager itself should be secured with phishing-resistant MFA. A password manager is not a magic solution, but an essential part of a broader strategy.

Passkeys: the future without passwords

While strong password policies protect the present, the industry is building a future where passwords are no longer needed. Passkeys, based on the FIDO2/WebAuthn standard, represent the most promising alternative.

When creating a passkey, your device generates a cryptographic key pair. The public key goes to the server; the private key remains secure on your device, protected by biometrics (fingerprint or facial scan) or a PIN. At login, you prove possession of the private key. Because that key is never transmitted over the Internet, there is nothing to phish or steal via a server-side data breach.

Apple, Google and Microsoft now support passkeys in their ecosystems. For businesses, this means that employees can log in on their Windows laptop via Windows Hello or on their smartphone via Face ID without ever typing in a password. According to the FIDO Alliance, passkeys are 20% faster than traditional passwords, with a higher login success rate.

We are in a transition period. Not every application supports passkeys, and passwords continue to be required for legacy systems. The advice: activate passkeys where possible (start with Microsoft 365 and Google Workspace), but in parallel maintain a strong password policy for all other systems.

Password policy as an NIS2 requirement

For companies covered by the NIS2 law, an up-to-date password policy is not a casual recommendation but a legal requirement. Article 21 of the Belgian NIS2 law explicitly requires organizations to implement “cyber hygiene practices,” and access security is a core component of the CyberFundamentals framework.

In a compliance assessment, the auditor tests not only whether a paper policy exists, but also whether it is technically enforced. Specifically, expectations include: evidence that all default hardware passwords (firewalls, printers, routers) have been changed, a limited list of administrator accounts with MFA, logging of significant events such as failed login attempts, and a demonstrable process for revoking access when employees leave. Those preparing their cybersecurity audit would do well to update the password policy as one of the first documents.

Practical checklist: your password policy in six points

A modern password policy does not have to be complicated. These six points are the basics:

  1. Set the minimum password length to 15 characters and allow spaces.
  2. Abolish mandatory periodic rotation. Enforce a change only upon a presumption of compromise.
  3. Make MFA mandatory on all remote access and all administrator accounts.
  4. Make the use of the company’s chosen password manager mandatory for all corporate accounts.
  5. Explicitly prohibit the reuse of business passwords for private purposes.
  6. Define a procedure for onboarding (unique temporary password, mandatory change at first login) and offboarding (revoke access within a few hours, rotate shared passwords in the manager).

The investment in a business password manager and MFA deployment is limited and is also covered by the VLAIO cybersecurity grants. Small businesses get up to 45% back through the SME portfolio, and the VLAIO Improvement Program reimburses up to 50%.

Frequently asked questions about password policies

How long should a strong password be in 2026?

According to the NIST standard (SP 800-63B Rev.4), passwords that serve as the sole authentication factor must be at least 15 characters long. A password phrase of 20 or more characters with spaces is ideal. When combined with MFA, the minimum length may be lower, but longer always remains better.

Should I still require my employees to change their passwords regularly?

No. Both NIST and Microsoft advise against mandatory periodic rotation. Research shows this leads to predictable, weaker passwords. Mandate a change only when there is a suspected data breach, phishing incident or other compromise.

What is the difference between a passkey and a password?

A password is a string of characters that you memorize and type. A passkey is a cryptographic key pair where the private key stays on your device and you identify yourself via biometrics or a PIN. Because the private key is never sent, a passkey resists phishing and server-side data breaches.

Isn’t a password manager an added risk?

A password manager centralizes your login credentials, which can be a risk if the manager itself is compromised. You manage that risk by choosing a very strong master password (a long passphrase) and securing access to the manager with phishing-resistant MFA. The alternative, employees using the same password everywhere, is a much greater risk.

Does NIS2 require a specific password policy?

NIS2 does not prescribe a specific format, but Article 21 requires “cyber hygiene practices” and appropriate access security. The CCB’s CyberFundamentals framework concretizes this with controls around identity authentication, management of privileged accounts and changing default passwords. An auditor expects both a policy document and technical evidence that the policy is enforced.

Can I already use passkeys in my business?

Yes, in part. Microsoft 365, Google Workspace and a growing number of SaaS applications support passkeys. For legacy systems and applications without passkey support, passwords remain necessary. The advice is to enable passkeys where possible and maintain a strong password policy in parallel.

During a cybersecurity audit, Cyberplan also audits your password policies and access management. From the configuration of your password manager to the MFA settings in your Microsoft environment, you’ll get a clear picture of where your company stands and what improvements should be prioritized. Find out what an audit means for your business.