🇬🇧 Cyber Essentials Password Requirements: UK Business Compliance Guide for 2026

What Is Cyber Essentials?

Cyber Essentials is a UK government-backed cybersecurity certification scheme, managed by the National Cyber Security Centre (NCSC) and delivered through the IASME Consortium. It sets out five technical controls that organisations must implement to protect themselves against the most common internet-borne cyber threats — with password management being one of the core requirements.

The scheme has two levels: Cyber Essentials (self-assessment) and Cyber Essentials Plus (independently verified). Both levels require the same password controls on paper, but Cyber Essentials Plus includes hands-on technical verification by a certifying body. For UK businesses bidding on government contracts, Cyber Essentials certification is mandatory for most central government procurement.

In 2025, over 200,000 UK organisations held Cyber Essentials certification — and the scheme continues to grow as more supply chains, insurers, and procurement teams require it as a baseline security standard. Certification costs range from £300-500 for a standard self-assessment (depending on certifying body) and £1,200-2,500 for Cyber Essentials Plus with technical audit.

Password Requirements in the Cyber Essentials Framework

Cyber Essentials structures password requirements under its core control — Secure Configuration — which covers how user accounts, administrative access, and authentication are managed across your organisation. The specific password requirements map to the IASME Cyber Essentials Requirements document (version 3.1, effective from March 2025).

1. Unique User Accounts

Every user must have their own individual account. Shared accounts, generic administrator accounts, and group logins are not permitted. This requirement ensures that all access is attributable to a specific individual — making audit trails meaningful and incident response actionable. Service accounts used by applications are exempt but must use strong, managed passwords stored in a secure vault.

2. Strong Password Policy

Your organisation must have a documented password policy that reflects good practice. While Cyber Essentials does not mandate a specific minimum length (unlike PCI-DSS v4.0's 12-character requirement), the NCSC's Password Guidance recommends:

• Minimum 12 characters for user-chosen passwords
• No mandatory complexity rules — length over character variety
• No periodic rotation — only change passwords on evidence of compromise
• Password managers encouraged for generating and storing passwords

For alignment with NIST SP 800-63B 2025, a minimum of 8 characters meets the technical baseline, but 12 characters is the practical recommendation for UK businesses pursuing certification.

3. No Default Passwords

All default passwords on networked devices — firewalls, routers, switches, printers, servers — must be changed before deployment. This is the most common finding in failed Cyber Essentials assessments. Many organisations deploy a new firewall that uses a known default password, passing the self-assessment but failing the technical verification in Cyber Essentials Plus.

4. Administrative Access Controls

Administrator accounts must use multi-factor authentication for internet-facing services. For on-premises admin access where MFA is not technically feasible, strong unique passwords and strict access controls must apply. Administrative accounts should not be used for day-to-day activities — the principle of least privilege applies.

5. Password Manager Encouragement

The IASME Cyber Essentials framework explicitly references password managers as good practice. They solve the fundamental tension in password policy: users cannot remember 20+ unique 12-character passwords, but password reuse makes credential stuffing inevitable. A password manager that generates and stores strong passwords is the recommended solution.

Cyber Essentials vs Cyber Essentials Plus Password Differences

The password requirements are identical between the two levels. The difference is verification:

• Cyber Essentials (self-assessment): You complete a questionnaire and provide a signed declaration that your organisation meets the requirements. For password controls, you state that you have a policy in place and that it is enforced. There is no external verification of the policy itself.
• Cyber Essentials Plus (verified): A certifying body visits your premises or connects remotely to perform technical verification. They check that default passwords have been changed, that user accounts are individually assigned, that administrative access is controlled, and that your password policy is actually enforced — not just documented.

Practical difference: Many organisations pass the self-assessment but fail Cyber Essentials Plus because their password policy exists on paper but is not technically enforced — for example, a policy requiring 12-character passwords but Active Directory allowing 8-character passwords. If you plan to pursue Cyber Essentials Plus, enforce your policy technically before the assessment.

How to Implement Cyber Essentials Password Controls in Practice

For Microsoft 365 and Azure AD Organisations

Microsoft 365 includes built-in controls that map directly to Cyber Essentials requirements:

• Azure AD Password Protection: Blocks over 1,000 commonly compromised passwords and can be extended with custom banned password lists matching your industry
• Conditional Access: Enforce MFA for all administrative accounts and require specific MFA methods for different user groups
• Password policy: Set minimum password length through domain policy or Azure AD settings
• Cloud Kerberos trust: Passwordless authentication via Windows Hello for Business or FIDO2 security keys

For Google Workspace Organisations

Google Workspace Admin Console provides:

• Minimum password length enforcement (up to 100 characters)
• Password strength enforcement (can require mixed character types)
• MFA enforcement through Security policies
• Account recovery verification settings

For On-Premises Active Directory

Group Policy remains the primary enforcement mechanism:

• Set minimum password length under Computer Configuration → Windows Settings → Security Settings → Account Policies → Password Policy
• Enable "Password must meet complexity requirements" only as a transitional measure — move toward length-based policies
• Use Fine-Grained Password Policies (FGPP) to apply different policies to privileged vs standard accounts
• Remove mandatory password expiry (set to 0 = never expires) per NIST and NCSC guidance
• Audit with PingCastle or Purple Knight to identify weak passwords and shared accounts before assessment

Aligning Cyber Essentials with NIST and ISO 27001

If your organisation holds or pursues multiple certifications, the password requirements across Cyber Essentials, NIST SP 800-63B, and ISO 27001 are largely compatible. The key differences are:

• NIST SP 800-63B: Most prescriptive on password rules (minimum 8 characters, no rotation, breach checking). Cyber Essentials aligns fully with these recommendations.
• ISO 27001 Annex A 5.17: Requires a documented password policy but does not specify exact parameters. Cyber Essentials provides the practical implementation guidance that ISO 27001's controls framework leaves open.
• Cyber Essentials: Adds the specific requirement for no default passwords and unique user IDs — controls that are implicit in ISO 27001 but explicitly verified in the UK certification scheme.

See our detailed guides on NIST SP 800-63B 2025, ISO 27001 password controls, and PCI-DSS v4.0 password requirements for cross-standard alignment.

Common Certification Gaps and How to Avoid Them

Based on IASME assessment data and GRC practitioner experience, these are the most common password-related gaps that cause Cyber Essentials Plus failures:

• Default passwords on network equipment: Printers, switches, and Wi-Fi access points are the most overlooked devices. Conduct a physical inventory of all networked devices and change every default password before assessment.
• Generic admin accounts: Administrator, Admin, or root accounts shared across the IT team. Each administrator must have their own named account with individual credentials.
• Password policy not enforced: A written policy requiring 12-character passwords is meaningless if Active Directory allows 8-character passwords. Verify technical enforcement matches documented policy.
• Service account passwords not rotated: Application service accounts and scheduled task credentials often use weak, unchanging passwords. Implement a managed service account (gMSA) or a secure vault rotation schedule.
• MFA not applied to internet-facing admin portals: Even if MFA is in place for user logins, administrative portals (M365 admin centre, cloud console, domain registrar) must also be protected.

Key Takeaways

Cyber Essentials password requirements are straightforward and align with modern NIST and NCSC guidance. The framework requires unique user accounts, no default passwords, strong password policies aligned with NCSC recommendations, and MFA for internet-facing administrative access. The key is not just documenting the policy — it is technically enforcing it across your organisation.

For UK businesses, Cyber Essentials certification is increasingly mandatory for government contracts, supply chain participation, and cyber insurance. The password controls are the easiest and most cost-effective requirements to implement. Use a password manager with CSPRNG-generated passwords — like the Iron Vault Keys enterprise generator — to create unique, compliance-ready passwords for every account in your scope.

Frequently Asked Questions

What password length does Cyber Essentials require?

Cyber Essentials does not specify a minimum password length, but the NCSC recommends a minimum of 12 characters. For compliance, the NCSC's Password Guidance and the IASME governance framework expect organisations to implement strong password policies aligned with current best practice.

Does Cyber Essentials require multi-factor authentication?

Cyber Essentials does not mandate MFA, but Cyber Essentials Plus assessments may require it depending on scope. The NCSC strongly recommends MFA for internet-facing services. Implementing MFA is recommended even if not explicitly required for certification.

Does Cyber Essentials require regular password changes?

No. The NCSC's Cyber Aware guidance (aligned with Cyber Essentials principles) states that users should not be forced to change passwords on a fixed schedule. Only change passwords when there is evidence of compromise.

Are shared or generic accounts allowed under Cyber Essentials?

No. Cyber Essentials requires unique user IDs and passwords for each individual. Shared accounts, generic admin accounts, and default passwords are not permitted.

Can I get Cyber Essentials if I use cloud services for password management?

Yes. Cyber Essentials is technology-agnostic. Cloud-based password managers, SSO providers, and identity platforms are acceptable as long as they enforce the required controls.

Related Articles