Essential cookies only — Cookie Policy.

🛡️ UK Cyber Essentials · NCSC Small Business Guide

Cyber Essentials Password Requirements — NCSC-Compliant 2026 Guide

Everything your SME needs to know about Cyber Essentials password controls: what the scheme requires, how NCSC guidance aligns, and how to meet both without a dedicated IT security team. Includes MFA requirements, password manager setup, and a ready-to-copy policy paragraph.

💼 Open Policy Builder Read the full guide →

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed certification scheme administered by the National Cyber Security Centre (NCSC). It defines a baseline set of security controls designed to protect organisations — particularly small and medium enterprises — against the most common internet-based threats.

The scheme covers five technical controls: boundary firewalls, secure configuration, access control (including passwords), malware protection, and patch management. Password controls fall under access control and are one of the most frequently assessed requirements.

There are two certification levels: Cyber Essentials (self-assessment, ~£300) and Cyber Essentials Plus (independently tested, ~£800–1,500). Both require the same password controls on paper, but Plus includes automated testing.

Cyber Essentials Password Requirements

The scheme does not mandate a specific password length or complexity formula. Instead, it requires that:

Practical interpretation: For most SMEs, meeting these requirements means: use a business password manager to generate and store unique passwords per system, enforce MFA on all cloud and remote access accounts, configure account lockout on internal systems, and document the policy in your staff handbook.

NCSC Password Guidance

The NCSC Small Business Guide provides practical password recommendations that align with and support Cyber Essentials compliance:

📖 Recommended reading

MFA and Cyber Essentials

Multi-factor authentication is effectively required for cloud services, remote access accounts, and administrator accounts under the updated Cyber Essentials scheme (2022 onwards). The technical control requirement — account lockout after max 10 attempts, or MFA — means that for internet-facing systems, MFA is the practical standard.

Password strength alone is not sufficient for cloud and remote access accounts. The combination of a strong generated password and MFA is what Cyber Essentials assessors expect.

For admin accounts, FIDO2 hardware security keys (YubiKey, Google Titan) are the gold standard, but TOTP authenticator apps are acceptable for most SMEs.

How Work Password Helps You Comply

Work Password is a free, client-side password generator and policy builder designed specifically for Cyber Essentials and NCSC compliance. Here is how it maps to the scheme requirements:

StandardMin lengthMFARotationPassword manager
Cyber EssentialsNot specified (8+ recommended)Required for cloud/remoteOn compromise onlyEffectively required
NCSC Small Business8+ standard, 14+ adminStrongly recommendedOn compromise onlyRecommended
NIST SP 800-63B 202515 charactersRequired at AAL2+On compromise onlyNot specified
Work Password (default)16 standard / 20 adminImplement separatelyOn compromise onlyIntegrated workflow

Preparing for Your Cyber Essentials Assessment

When preparing your password controls for a Cyber Essentials assessment, focus on these five actions:

  1. Deploy a business password manager — Bitwarden Business or 1Password Teams are recommended for UK SMEs. Configure shared vaults with access controls and audit logging.
  2. Enable MFA on all cloud services, remote access, and admin accounts. Use authenticator apps or hardware security keys.
  3. Document your password policy — use the Work Password Policy Builder to generate a compliant policy paragraph. Include it in your staff handbook.
  4. Configure account lockout on all internal systems — 5 failed attempts before temporary lockout is a good threshold below the 10-attempt maximum.
  5. Define an off-boarding process — document how credentials are revoked when staff leave, including password manager deprovisioning and shared credential rotation.
One-hour compliance check: Most SMEs can review and update their password controls in under an hour using the Work Password Policy Builder. Start with the Policy Builder →

💼 Policy Builder

Generate a compliant password and copy a ready-to-use policy paragraph — free, client-side, no sign-up required.

Open Policy Builder →

📖 Cyber Essentials Guides

Password Requirements → Policy Compliance → Writing a Policy → Password Manager Setup → MFA Guide →

🏷️ Tags

Cyber Essentials NCSC Password Policy MFA SME Security UK Compliance
Cyber Essentials in Numbers

Why compliance matters for UK SMEs

43%
of UK SMEs experienced a cyber breach in 2025
DCMS Breaches Survey 2025
CE+
Cyber Essentials Plus required for UK government contracts
Cabinet Office mandate
~£300
Average cost of Cyber Essentials certification
IASME Consortium
Free
NCSC Small Business Guide — no consultant needed
NCSC.gov.uk
FAQ

Cyber Essentials Password Requirements — FAQ

Cyber Essentials requires that all accounts use credentials that are not default, not easily guessable, and changed on any indication of compromise. Technical controls require account lockout after maximum 10 failed attempts, or MFA. For cloud services, remote access, and admin accounts, MFA is the expected standard. Passwords should be unique per system — reuse across services is not compliant.
Cyber Essentials does not explicitly mandate a password manager by name, but the requirement for access control, unique passwords per system, and the ability to revoke access on staff departure effectively requires one for any organisation with more than a handful of accounts. A business password manager provides shared vaults with access controls, audit logging, centralised off-boarding, and breach monitoring — all of which support Cyber Essentials compliance.
The NCSC Small Business Guide recommends: using strong and separate passwords for each important account (email, banking, cloud services), generating passwords rather than choosing them, and using three random words as a mnemonic technique. The NCSC also advises against mandatory periodic rotation (which leads to weaker passwords) and recommends a password manager for all accounts. These align with and inform the Cyber Essentials controls.
Document your password policy covering: minimum length (NCSC recommends 8+ standard, 14+ admin), unique passwords per system, use of a business password manager, MFA on all cloud and remote access accounts, off-boarding procedures for credential revocation, and a change-on-compromise rule. The assessor will look for evidence that the policy is enforced, not just written. The Work Password Policy Builder generates a ready-to-copy policy paragraph aligned with these requirements.
Cyber Essentials (self-assessment): you declare your password controls meet the requirements. Cyber Essentials Plus (independently tested): an assessor performs technical tests including trying default passwords on network devices, testing MFA, and verifying password controls on internet-facing services. For credentials, Plus includes automated password guessing tests. Both require the same password controls on paper, but Plus verifies they are actually implemented.