The Personal Data Protection Commission and the Cyber Security Agency of Singapore made the warning in a formal advisory posted on their websites on 26 June 2025.
“NRIC numbers should not be used as passwords to authenticate a person. This is because they are issued to uniquely identify a person and must be assumed to have been disclosed to at least a few other persons,” the advisory said.
“Organisations that are using full or partial NRIC numbers to authenticate persons should stop this practice as soon as possible. They should not set NRIC numbers as default passwords, nor should they use full or partial NRIC numbers together with other easily obtainable personal data for authentication.”
The advisory encouraged against using passwords that could be easily guessed, including those that contain information that can be obtained easily, such as names, NRIC numbers and birthdates, following a rise in data leaks in recent years.
Mayumi Soh, an expert in technology in the workplace at Pinsent Masons, said: “This new advisory reflects the Singapore government’s continued commitment to enhancing data protection by urging the private sector to use identity card numbers responsibly.”
“It is essential that businesses review their authentication protocols and adopt robust methods and solutions, such as multi-factor authentication or biometric verification,” she commented.
The move is part of a broader effort to enhance data security and prevent identity theft, and is especially relevant to private sector organisations, its IT and cybersecurity departments, and compliance officers responsible for ensuring adherence to the advisory, according to Soh.