Essential cookies only — Cookie Policy.

💼 SOP-07 — Work Password Policy Builder

Generate passwords & build your policy

Client-side only · Zero transmission
crypto.getRandomValues()

💼 workpassword.net — password generator

Standard16 chars
Admin20 chars
Cloud20 chars
Remote24 chars
Select account type and generate
Length: 16
✓ crypto.getRandomValues() — OS entropy
✓ Zero network requests
✓ Nothing stored

Compliance & Policy Panel

Cyber Essentials16 chars + all char classes — exceeds requirement
NCSC Small Business GuideMeets NCSC recommendations for standard accounts
NIST SP 800-63B 2025Exceeds 15-character minimum for standard accounts
ℹ️
MFA reminderCyber Essentials requires MFA or lockout on cloud & remote access accounts — password strength alone is not sufficient.

Ready-to-copy policy paragraph

Generate a password to see the policy paragraph.
Features

Everything a small business needs

🛡️

Cyber Essentials compliance

Live indicator checks your password settings against the Cyber Essentials technical requirements — no guesswork at assessment time.

📋

Policy paragraph generator

Copy a ready-made staff handbook paragraph, pre-configured to your settings, that documents your password policy for Cyber Essentials evidence purposes.

💼

Work-specific presets

Standard, Admin, Cloud, and Remote Access presets with appropriate length defaults for each account type — matching the threat level of each.

🔒

Client-side only

All generation uses crypto.getRandomValues(). Nothing transmitted. Suitable for generating credentials before adding to your business password manager.

Compliance Reference

Password requirements by standard

StandardMin lengthComplexityRotationMFA
Cyber EssentialsNot specified (8+ recommended)Not easily guessableOn compromise onlyRequired for cloud/remote
NCSC Small Business8+ standard, 14+ adminGenerated preferredOn compromise onlyStrongly recommended
NIST SP 800-63B 202515 charactersNo mandatory complexityOn compromise onlyRequired at AAL2+
ISO 27001:2022Policy-definedPolicy-definedRisk-basedRecommended for privileged
Work Password (default)16 standard / 20 adminAll 4 character classesOn compromise onlyImplement separately
Tools for Your Business

More ways to manage work passwords

👥

New Hire Password Kit

Pre-configure credentials for new employees before day one. Generate work passwords, prepare MFA setup instructions, and add them to your password manager — all aligned with Cyber Essentials onboarding requirements.

Generate Kit →
🔍

Audit Fix Mode

Found policy violations in your last compliance audit? Use the Policy Builder to generate replacement credentials that meet Cyber Essentials standards, then update your policy paragraph for the re-assessment. Document the fix.

Fix Audit Issues →
📋

Contract Password Clause

Generate a compliance-ready password security clause for your vendor contracts and supplier agreements. Includes Cyber Essentials requirements, MFA obligations, notification timelines, and off-boarding terms.

View Clause Guide →
The Business Case

Why password security is an SME priority

43%
of UK SMEs reported a cyberattack or breach in 2025
DCMS Cyber Security Breaches Survey 2025
£3,000
average cost of a cyber breach for a small business
DCMS Breaches Survey 2025
CE+
Cyber Essentials Plus required for UK government contracts
Cabinet Office
Free
NCSC Small Business Guide — guidance without a consultant
NCSC.gov.uk
Recommended Tools

Implement your password policy

Affiliate disclosure: Some links earn a commission at no cost to you. We only recommend tools suitable for UK SMEs. Full disclosure →

🗝️ Bitwarden Business

Open-source, independently audited. ~£5/user/month. Central admin console, shared collections, audit logging, and off-boarding workflows. Cyber Essentials compatible when configured with MFA.

Try Bitwarden →

1️⃣ 1Password Teams

Polished UI with excellent onboarding for non-technical teams. ~£7.50/user/month. Emergency Kit provides documented recovery process. Strong audit and access control features.

Try 1Password →

🛡️ Cyber Essentials via NCSC

The NCSC's free Cyber Essentials self-assessment tool and guidance documents — the definitive reference for UK SME security requirements. Start here before paying for assessment.

Cyber Essentials guide →
About

Written by an hobbyist with a keen interest in password security and online safety

Rachel Morris is an hobbyist with a keen interest in password security and online safety who has helped over 80 UK SMEs achieve Cyber Essentials and Cyber Essentials Plus certification. Her work focuses on making security requirements accessible to businesses without a dedicated IT security function — translating technical requirements into practical, cost-effective implementations.

All content aligns with the NCSC Small Business Guide, Cyber Essentials scheme, and NIST SP 800-63B 2025.

About Rachel Morris →
Trust Signals
Cyber Essentials alignedCompliance panel checked against current Cyber Essentials requirements.
Client-side generationcrypto.getRandomValues() only. Zero transmission. Nothing stored.
Primary sources citedNCSC, NIST, Cyber Essentials scheme documentation.
UK operatedKokal Operations Ltd, England & Wales. UK GDPR.

Portfolio

Specialist tools for every audience.

bestpasswordgenerator.orgStrength visualiser
🌿freestrongpassword.comBeginner wizard
instantpasswordgenerator.orgBulk generator
🔑ironvaultkeys.comEnterprise
FAQ

Common questions from SMEs

Cyber Essentials does not mandate a specific minimum, but requires passwords are not easily guessable and that account lockout or MFA is in place. The NCSC recommends 8+ chars for standard accounts, 14+ for admin. Work Password defaults to 16 (standard) and 20 (admin) — both exceed all current UK guidance.
The updated Cyber Essentials scheme effectively requires MFA for cloud services, remote access, and admin accounts. The technical control requirement — account lockout after max 10 attempts, or MFA — means MFA is the practical standard for internet-facing systems. Password strength alone is not sufficient for cloud and remote access accounts.
Only via a business password manager's shared vault — not email, Slack, spreadsheets, or Post-its. Shared credentials in uncontrolled media do not meet Cyber Essentials access control requirements because access cannot be revoked and there is no audit trail. Password managers provide all three.
No — current NCSC and NIST guidance advises against mandatory rotation schedules. Forced rotation produces predictable patterns (Password1!, Password2!) and results in weaker security. Change credentials immediately on compromise indication, on staff departures, and when a vendor reports a breach — not on a fixed calendar.
Bitwarden Business (~£5/user/month, open source, independently audited) and 1Password Teams (~£7.50/user/month, excellent onboarding) are recommended for most UK SMEs. Both are Cyber Essentials compatible when configured with MFA on the manager itself. See our team password manager guide →
Yes. All generation uses crypto.getRandomValues() — the browser's CSPRNG backed by OS hardware entropy. Nothing is transmitted to any server. Open DevTools → Network → Clear → Generate to verify zero requests. Use the generated password to populate your business password manager.
A ready-to-copy paragraph describing your password policy based on the current generator settings — suitable for inclusion in a staff handbook, IT policy document, or Cyber Essentials evidence pack. It includes the minimum length, character requirements, use of the company password manager, and change requirements.
A free resource from the UK NCSC covering five priority security actions for businesses without a dedicated IT team: software updates, strong separate passwords, two-factor authentication, backups, and malware protection. Available free at ncsc.gov.uk. The starting point for any UK SME's security posture.
Admin accounts need: longer passwords (20+ chars vs 16 for standard), a separate account from the daily-use account, mandatory MFA — FIDO2 hardware key preferred, admin credentials in a separate restricted vault, and activity logging. Use the Admin preset in the generator for correct defaults.
On their last day: revoke password manager access; change all shared credentials they had access to; disable email account and SSO login; revoke MFA tokens; retrieve or wipe company devices. Document this as a written off-boarding checklist — Cyber Essentials requires a defined process. See our HR security checklist →
Business Security Guides

Practical guides for SMEs

All guides →