What does Cyber Essentials require for passwords?

Cyber Essentials requires that all accounts protected by passwords use credentials that are not the default, are not easy to guess, and are changed if there is any indication of compromise. The scheme also requires technical controls: account lockout after a maximum of 10 failed attempts, or MFA. Passwords must be changed when there is any indication of compromise. The current guidance does not mandate specific length or complexity requirements but strongly discourages default credentials and predictable patterns.

Does Cyber Essentials require two-factor authentication?

Cyber Essentials Plus and the updated Cyber Essentials scheme both strongly recommend MFA, particularly for remote access accounts, cloud services, and administrator accounts. The technical control requirement — either account lockout or MFA — effectively means organisations should implement both, as lockout alone is insufficient protection for internet-accessible services. From 2022 onwards, Cyber Essentials assessors increasingly expect MFA on cloud services and remote access.

Can we use the same password for multiple work systems?

No — Cyber Essentials and basic security hygiene both require that credentials are not reused across systems. A compromise of one service (a SaaS vendor breach, for example) should not give an attacker access to other systems. The practical solution for most SMEs is a business password manager where each team member has individual credentials and the organisation maintains access control over shared accounts.

What is the penalty for failing Cyber Essentials?

Cyber Essentials is a voluntary certification, so there is no direct regulatory penalty for failing or not pursuing it. However, Cyber Essentials is required for UK government contracts, and many larger enterprise customers require their SME suppliers to hold the certification. Additionally, Cyber Essentials Plus insurance benefits may be contingent on holding the certification. Failing to meet the password controls would result in certification being denied or suspended.

What tools does Cyber Essentials accept for password management?

Cyber Essentials does not mandate specific tools. Any business password manager that provides individual encrypted vaults, access controls, and audit logging is appropriate — 1Password Teams, Bitwarden Business, Dashlane Business, and Keeper Business are all used by Cyber Essentials-certified organisations. The key requirements are: generated passwords (not user-chosen), unique per system, accessible only to authorised users, and with a defined off-boarding process for departing staff.

Cyber Essentials Password Requirements for SMEs

Cyber Essentials is the UK government's baseline cybersecurity certification, required for government contracts and increasingly expected by enterprise customers. Password controls are one of the five technical control areas assessed. Understanding exactly what is required — and what common approaches fail the assessment — prevents surprises at certification time.

The Five Technical Controls — Password Requirement

Cyber Essentials assesses five control categories: firewalls, secure configuration, access control, malware protection, and patch management. The password requirements fall under Access Control. Specifically, assessors check:

No default credentials: All default passwords on all devices, services, and accounts must have been changed before deployment
No easily guessable passwords: Technical controls must prevent or detect weak password choices — typically via a business password manager that enforces generated passwords
Account lockout or MFA: After a maximum of 10 failed login attempts, either the account must lock out, or MFA must be enabled — or both
Privileged account security: Administrator accounts must use strong, unique credentials — ideally enforced by a PAM (Privileged Access Management) solution or at minimum a password manager
Off-boarding process: Accounts and credentials for departing staff must be disabled or changed promptly — assessors will ask about your process

Common Compliance Failures

Common approach	Compliant?	Issue
Shared team password in a spreadsheet	✗ No	No access control, no audit log, no off-boarding mechanism
Router/firewall with default password	✗ No	Default credentials explicitly prohibited
Individual email accounts, no MFA	⚠ Risk	Account lockout required; cloud email without MFA is high-risk
Business password manager, MFA on email	✓ Yes	Meets access control requirements
Passwords in browser autofill only	⚠ Risk	No access control, no audit trail — borderline

The Minimum Compliant Setup

For most SMEs, the minimum compliant password posture is: a business password manager (Bitwarden Business, 1Password Teams) where all staff have individual vaults; MFA enabled on all cloud services (Microsoft 365, Google Workspace, CRM); all devices have changed default admin passwords; and a written off-boarding checklist for leavers. The Work Password Policy Builder generates a compliant policy paragraph you can add to your staff handbook.

NCSC SME guidance: The NCSC Small Business Guide covers password management as a priority action, alongside MFA and software updates. Both resources are free and written for non-technical business owners.

Cyber Essentials SME password policy NCSC compliance

For informational purposes only. Consult a qualified IT security professional for advice specific to your organisation.

Password Security for Remote Workers →