As a cybersecurity consultant who works closely with small and medium-sized businesses (SMBs), I often get asked the same question: What makes a strong password? While it may seem like a small detail, passwords are one of the most important lines of defense in your cybersecurity posture. And yet, they’re often the weakest link.

If you’re just getting started with cybersecurity, this post is for you. I’ll walk you through how to create strong passwords based on the latest guidance from NIST—the National Institute of Standards and Technology—and explain why your business needs a clear, documented password policy.

Why Passwords Matter

Passwords are the digital keys to your business. They control access to email, accounting software, client databases, HR systems, and more. Weak or reused passwords open the door to hackers, who can steal data, drain bank accounts, and cause major disruptions.

According to Verizon’s annual Data Breach Investigations Report, a large percentage of data breaches involve stolen or compromised credentials. The good news? Many of these incidents are preventable with better password practices.

What NIST Recommends for Strong Passwords

NIST has recently updated its Digital Identity Guidelines to reflect current cybersecurity risks and user behavior. Here are some key takeaways from their most recent recommendations:

1. Length Over Complexity

NIST recommends focusing on longer passwords rather than hard-to-remember combinations of symbols, numbers, and uppercase letters. A passphrase made up of several random words (e.g., “green-horse-stapler-ocean”) is both strong and easier to remember than something like “H!j9@X$k”.

• Aim for passwords that are at least 12 characters long, and use of spaces are encouraged.

• Use passphrases that are memorable but unpredictable.

2. Don’t Require Regular Changes

For years, password policies forced users to change passwords every 60 or 90 days. NIST now discourages this unless there’s a reason to believe a password has been compromised. Frequent changes often lead to weaker passwords or people writing them down.  Just walk around your business and look for sticky notes stuck to monitors or under keyboards.

3. Screen for Compromised Passwords

Whenever possible, check new passwords against databases of known breached credentials. Tools and services exist that help identify whether a password has already been exposed in a data breach like the commonly used database Have I Been Pwned: Pwned Passwords.

4. Allow All Characters and Avoid Arbitrary Rules

NIST advises against restricting characters (like disallowing spaces or special symbols) or enforcing complexity requirements that frustrate users. Instead, allow full use of characters and let users choose strong, memorable passphrases.

Document and Implement Password Standards

Having good password habits is great, but without documented standards, there’s no consistency—and no accountability. Every business, no matter the size, should implement a written password policy that outlines:

• Minimum password length (e.g., 12+ characters), I recommend 16+ characters

• Use of passphrases instead of random characters

• Multi-factor authentication (MFA) requirements

• Guidelines for storing passwords (e.g., never in plain text or on sticky notes)

• How to handle password resets and recoveries

• A schedule for reviewing and updating the policy

Once your policy is documented, it should be shared and explained to all employees. A short training session or onboarding guide can help reinforce the importance of following the standards.

Simple Tools Can Help

Consider using password managers like 1Password, Bitwarden, or LastPass. These tools generate and store complex passwords securely, so your team doesn’t have to remember them all. They also help reduce the temptation to reuse passwords across systems.

Wrapping It Up

Strong passwords are the foundation of your business’s cybersecurity posture. By following NIST’s modern, user-friendly guidelines and putting a documented password policy in place, you can drastically reduce your risk of attack. It’s a simple step with a big impact—one every SMB can take today.