By Takanori Nishiyama, Senior Vice President of APAC & Japan Country Manager, Keeper Security
Singapore’s latest advisory discouraging businesses from using national registration identity card (NRIC) numbers as passwords is a move in the right direction. While the intention behind using such numbers, especially their last four digits, was once to simplify verification, this practice now creates more risk than convenience. As organizations pursue digital transformation, our security mindset must evolve too.
Weak by design: What makes a bad password?
Passwords like identity numbers, birthdates, or sequential digits may feel familiar, but they are incredibly easy for attackers to guess or breach. Publicly available personal data and credential-stuffing techniques have rendered such passwords obsolete, if not outright dangerous. A bad password is anything predictable, reused, or tied to a user’s identity.
What is a strong password—and is that enough?
Strong passwords are long and complex with at least 16 characters, upper- and lowercase letters, as well as numbers and symbols. But even these have limitations. As password fatigue sets in, users are likely to recycle even the strongest credentials. That’s why a zero-trust and zero-knowledge password manager is essential for enterprises that want both security and usability. A secure password manager will generate and store unique passwords for every account, eliminating the risk of password spraying attacks, in which cybercriminals use compromised credentials to access other accounts that use the same password.
Better than passwords: Toward modern access security
Modern organizations must embrace passwordless solutions such as passkeys, biometrics, and time-bound one-time access links. These methods reduce reliance on static credentials and enhance identity verification. But technology alone isn’t the answer—an organization’s security architecture matters.
A zero-trust model ensures that no one, not even an internal user, is trusted by default. Every access request is verified, audited, and encrypted. This is essential in today’s hybrid cloud environments and highly regulated sectors.
Guarding the front and back doors
Retailers, insurers, financial services, and even government agencies must think holistically: How do we protect both visitors (e.g., customers, applicants) and insiders (e.g., employees, contractors)? The answer lies in centralized, scalable privileged access management (PAM) tools, secure password vaults, and real-time breach monitoring.
From reactive to resilient
The NRIC advisory is not just about passwords—it’s about trust. Citizens must trust that their data is handled responsibly. Businesses must trust that their infrastructure is secure. The shift away from static identifiers like NRICs must be followed by action:
- Mandating strong, unique credential practices
- Implementing password managers and PAM platforms
- Investing in ongoing cyber hygiene training
Cybersecurity is no longer a “best practice”—it is a business necessity and a national responsibility. Organizations must move beyond compliance checklists and use this moment to accelerate real reforms in identity and access security.
