Blog
You are here: / / / / What are the cyber essentials password requirements?
,

What are the cyber essentials password requirements?

What are the cyber essentials password requirements?

What are the cyber essentials password requirements?

Cyber Essentials password requirements are designed to help organisations reduce one of the most common causes of cyber incidents: weak, reused, guessed, or stolen login details. Passwords are still part of everyday business life for most UK organisations, even as multi-factor authentication and passwordless sign-in methods become more common. That makes password control a key part of achieving Cyber Essentials certification.

Cyber Essentials is a UK Government-backed scheme that helps businesses protect themselves against common online threats. It is built around five core technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management. Passwords sit mainly within user access control, but they also connect with wider areas such as secure configuration, cloud security, administrator access, and staff awareness.

For a business, the practical question is simple: can the right people access the right systems securely, without making it easy for attackers to guess, reuse, or steal login details? Cyber Essentials expects organisations to take this seriously. That does not mean creating an impossible process for staff. It means setting clear rules, using strong authentication, reducing shared accounts, protecting administrator access, and making sure passwords are changed when compromise is known or suspected.

UK Cyber Security Group offers Cyber Essentials certification for businesses that want a clear and affordable route through the process. Its Cyber Essentials service supports organisations that need practical help with the assessment and want expert guidance without unnecessary complexity.

Passwords remain a business risk

Passwords are often treated as a small technical detail, but they are a major business risk. A single compromised account can lead to email takeover, data theft, invoice fraud, ransomware, supplier impersonation, or unauthorised access to cloud systems. This is especially true for businesses that rely heavily on email, Microsoft 365, Google Workspace, customer portals, file sharing systems, remote access tools, and cloud-based business applications.

The UK Government’s Cyber Security Breaches Survey 2025 to 2026 found that 43 percent of UK businesses identified a cyber breach or attack in the previous 12 months. It also found that phishing remained the most common breach or attack category, affecting 38 percent of businesses. Phishing matters here because stolen passwords are often gathered through fake login pages, malicious links, and social engineering.

Cyber Essentials password requirements are therefore not just about choosing a longer password. They are about reducing the chance that an attacker can use stolen or guessed credentials to access business systems.

The plain-English answer to the password requirement

Cyber Essentials expects organisations to use strong authentication for accounts in scope. At a basic level, this means using passwords that meet the required length rules, avoiding common or weak passwords, and applying multi-factor authentication where required or available.

For accounts protected by password alone, Cyber Essentials guidance expects the password to be at least 12 characters long, with no maximum length restriction. For accounts protected by both a password and multi-factor authentication, the password must be at least 8 characters long, again with no maximum length restriction.

The scheme also supports the use of deny lists to block common passwords. A deny list helps stop users choosing passwords that attackers are likely to try first, such as common words, predictable patterns, or passwords known to have been exposed elsewhere.

Multi-factor authentication has become increasingly important. From April 2026 scheme updates, multi-factor authentication is mandatory for cloud services where it is available. That means organisations preparing for Cyber Essentials should not treat MFA as optional for services such as cloud email, file storage, customer relationship management systems, accounts platforms, and other internet-accessible services where MFA can be used.

Why password length matters

Longer passwords are harder to guess through brute-force attacks, especially when they are not based on obvious words, names, dates, football teams, company names, or keyboard patterns. Cyber Essentials does not encourage users to create passwords that are so complex they become impossible to remember. The aim is stronger authentication that people can use sensibly.

A good approach is to use longer passwords or passphrases. Many organisations encourage staff to use memorable combinations of unrelated words. This can make passwords easier to remember while still making them harder to guess. However, staff should still avoid phrases that are personal, obvious, reused, or based on public information.

Password managers can also help. They allow staff to use strong, unique passwords without needing to remember every login. For businesses with many cloud applications, this can be far safer than staff reusing the same password across multiple services.

What are the key requirements for achieving Cyber Essentials certification?

The key requirements for achieving Cyber Essentials certification are based on the five technical control areas: firewalls, secure configuration, user access control, malware protection, and security update management.

From a password point of view, user access control is the main area to understand. Your business needs to make sure user accounts are properly managed, administrator access is restricted, passwords meet the required standard, and multi-factor authentication is used where required.

Secure configuration also matters because weak default passwords must not remain in place. If a device, application, router, firewall, cloud platform, or management portal still uses a default password, that is a serious weakness. Default credentials are widely known and often included in attacker toolkits.

A business preparing for Cyber Essentials should be able to show that:

User accounts are only given to people who need them.

Administrator privileges are limited to those with a genuine business need.

Passwords meet the relevant length and security expectations.

Common passwords are blocked where possible.

Multi-factor authentication is used for cloud services where it is available.

Accounts are removed or disabled when no longer needed.

Passwords are changed promptly if compromise is known or suspected.

Shared accounts are avoided wherever possible.

These controls help stop attackers from walking through the front door with stolen or guessed login details.

Multi-factor authentication and why it now matters even more

Multi-factor authentication adds an extra check beyond the password. This might involve an authentication app, security key, biometric check, one-time code, or another approved method. The aim is to make stolen passwords less useful to attackers.

For many UK businesses, MFA is one of the most valuable security improvements they can make. If a staff member is tricked into entering their password on a fake login page, MFA can reduce the chance that the attacker can immediately access the account.

Cyber Essentials now places greater emphasis on MFA, especially for cloud services. This reflects how businesses actually work today. Many organisations no longer keep everything inside an office network. Email, files, accounts, customer records, HR systems, and project tools are often cloud-based. That makes cloud account protection essential.

MFA should be applied to administrator accounts, cloud services, remote access, and other important systems. Even where Cyber Essentials sets a minimum requirement, businesses often benefit from using MFA more widely.

Passwordless sign-in and passkeys

The Cyber Essentials scheme has also moved towards recognising more secure authentication methods, including passwordless sign-in and passkeys. These approaches can reduce reliance on traditional passwords and make phishing more difficult.

Passwordless sign-in does not mean there is no security. It means the user is authenticated through stronger methods such as device-based credentials, biometrics, security keys, or cryptographic login methods. Passkeys are increasingly being promoted because they are harder for attackers to steal through normal phishing methods.

For many small businesses, passwordless access may not be the first step. The practical starting point is usually to improve passwords, turn on MFA, remove old accounts, and protect cloud services. Over time, passwordless options may become a sensible next move as platforms make them easier to manage.

How can I prepare my small business for Cyber Essentials assessment?

A small business can prepare by reviewing every account that gives access to business systems. Start with email accounts, cloud storage, finance systems, customer records, administrator accounts, remote access systems, website admin accounts, security tools, and any shared business applications.

The first step is to identify who has access. Check whether all accounts are still needed and remove accounts for former staff, old contractors, unused test users, or duplicated profiles. Dormant accounts can create unnecessary risk because they may be forgotten, poorly monitored, or still linked to weak passwords.

Next, check password rules. Make sure password length settings meet Cyber Essentials expectations. Where password-only access remains, use at least 12 characters. Where MFA is used, the password should be at least 8 characters. Avoid maximum length limits that prevent people from using longer, stronger passwords.

Then review MFA. Confirm which cloud services support it and make sure it is enabled. This is especially important for email because compromised email accounts can be used for fraud, supplier impersonation, password resets, and data theft.

Finally, review administrator access. Administrator accounts should be separate, protected, and limited. Day-to-day work should not normally be carried out from administrator accounts unless there is a clear need.

UK Cyber Security Group can help businesses prepare by guiding them through the Cyber Essentials process, identifying weak areas, and supporting remediation before submission.

Common password mistakes that lead to problems

Many businesses fail to realise how easily password weaknesses build up over time. A company may start with good intentions, but staff changes, new systems, and rushed setup decisions can create gaps.

Common mistakes include using shared passwords for business accounts, allowing weak passwords, failing to enable MFA, leaving old staff accounts active, using administrator accounts for daily work, keeping default credentials, and storing passwords in spreadsheets or browser notes without proper controls.

Another frequent issue is password reuse. If an employee uses the same password for a personal account and a work account, a breach on another service could put the business at risk. This is one reason password managers and MFA are useful. They make it easier to use unique passwords without creating an unrealistic burden for staff.

What software solutions support compliance with Cyber Essentials standards?

Several software solutions can support compliance with Cyber Essentials standards. Useful options include password managers, identity and access management platforms, MFA tools, endpoint management systems, cloud security dashboards, mobile device management tools, and compliance management platforms.

For password control, a password manager can help staff create and store unique passwords securely. An identity platform can help enforce password length rules, MFA, and account access policies. Cloud admin dashboards can help show whether MFA is enabled and whether old accounts still exist.

Compliance software can also help by keeping evidence, tasks, and responsibilities in one place. This is useful because Cyber Essentials is not only about having controls. It is also about knowing what is in place and being able to answer the assessment accurately.

The best solution for a small business is one that is simple enough to use properly. A tool that nobody checks will not help. A practical setup should help the business answer key questions: who has access, is MFA enabled, are passwords strong enough, are admin accounts limited, and are old accounts removed?

Access control is more than passwords

Cyber Essentials password requirements sit within the broader idea of access control. Passwords matter, but they are only one part of the picture.

Good access control means giving people the minimum access they need to do their jobs. This reduces the damage that can happen if an account is compromised. For example, a general user account should not have administrator rights unless there is a valid business reason.

Access should also be reviewed when people change roles. Someone who moves from finance to sales may no longer need access to finance systems. A contractor who finishes work should have access removed promptly. An old mailbox should not remain active indefinitely without a reason.

These basic controls make password security more effective. Even if one account is compromised, restricted access can help limit the impact.

Why administrator passwords need extra care

Administrator accounts are especially sensitive because they can change settings, create users, access wider data, and control business systems. Attackers often look for administrator access because it gives them more power once inside.

Cyber Essentials expects administrator accounts to be properly controlled. This means limiting who has admin rights, using strong authentication, avoiding shared admin accounts where possible, and separating administrator activity from normal daily work.

For example, a user may have one account for day-to-day email and documents, and a separate administrator account only used when admin tasks are required. This reduces risk because the more powerful account is not used constantly for normal browsing and email.

Administrator access should also be reviewed regularly. If someone no longer needs admin rights, those rights should be removed.

Can I renew my Cyber Essentials certification through an online service?

Yes, Cyber Essentials can be renewed through an online assessment route. Renewal is a good time to check password controls because account settings often change during the year.

Before renewing, review whether MFA is enabled on cloud services, whether password length rules remain correct, whether old accounts have been removed, and whether administrator access is still appropriate. Also check whether any new systems were added during the year. A new cloud service with weak authentication can create a gap even if everything else is well managed.

Renewal should not simply repeat last year’s answers. Cyber Essentials requirements are updated over time, and your business environment may also change. Treat renewal as a practical health check.

UK Cyber Security Group provides Cyber Essentials certification support and can help organisations work through the online process clearly. For businesses that want guidance rather than guesswork, that support can make renewal easier and reduce the chance of avoidable delays.

Staff awareness and password behaviour

Password security is not only about settings. People need to understand what good password behaviour looks like. Staff should know not to reuse passwords, not to share login details, not to approve unexpected MFA prompts, and not to enter passwords into suspicious websites.

They should also know how to report concerns. If someone thinks they entered a password into a fake page, they should feel able to report it quickly. Fast reporting helps the business reset credentials, revoke sessions, check account activity, and reduce damage.

A blame culture is unhelpful. People make mistakes, especially when phishing messages are realistic and time pressure is high. The business response should focus on early reporting, quick containment, and better controls.

Which companies provide Cyber Essentials certification services in the UK?

Cyber Essentials certification services in the UK are provided by approved certification bodies and specialist cyber security providers. Businesses should choose a provider that explains the process clearly, understands the current requirements, and can support practical remediation.

UK Cyber Security Group offers Cyber Essentials certification and positions the service around helping organisations gain certification with expert guidance. This can be particularly useful for smaller businesses that do not have dedicated cyber security staff and want a straightforward route through the assessment.

When comparing providers, look beyond the certificate itself. Consider whether the provider can help you understand password requirements, MFA, cloud services, administrator access, secure configuration, and renewal planning. A good provider should make the process easier to understand, not more confusing.

For password questions, the provider should be able to explain what applies to your business systems, how MFA affects password length, and what to do about old accounts, shared access, or unsupported authentication methods.

Which UK-based firms offer Cyber Essentials consultancy services?

UK-based firms offering Cyber Essentials consultancy services include cyber security consultancies, certification bodies, managed IT providers, compliance specialists, and businesses that provide wider information security support.

UK Cyber Security Group is a strong option for organisations that want Cyber Essentials certification and practical consultancy support. The company can support businesses that need help understanding the requirements, preparing for assessment, and addressing weaknesses before submission.

The right consultancy support should be clear, practical, and proportionate. A small business does not need unnecessary complexity. It needs someone who can explain the requirements in plain English, help identify gaps, and guide the business towards a successful assessment.

For password requirements, consultancy support can help confirm whether your settings meet the scheme expectations, whether MFA is properly enabled, whether administrator access is controlled, and whether account management is good enough for certification.

Passwords, cloud services, and remote work

Cloud services and remote work have made password control more important than ever. In the past, many systems were only accessible from inside the office. Today, staff may access email, files, customer systems, and business applications from home, while travelling, or from mobile devices.

That flexibility is useful, but it means attackers can also target online login pages from anywhere. If cloud accounts are protected only by weak passwords, the business is exposed.

MFA reduces this risk. Strong password rules reduce it further. Account monitoring, removal of old accounts, and administrator control also help.

For Cyber Essentials, cloud services are a major area to review. Businesses should check every cloud service in scope and confirm whether MFA is available. Where it is available, it should be enabled in line with current scheme expectations.

Shared accounts and why they create risk

Shared accounts are common in small businesses, but they can cause problems. If several people use one login, it becomes harder to know who did what. It is also harder to remove access when one person leaves. Shared passwords are more likely to be written down, sent in messages, or reused.

Cyber Essentials encourages proper account control. Individual user accounts are usually better because access can be managed, monitored, and removed when needed.

There may be limited cases where shared access exists for a business reason, but it should not be the default approach. Where shared accounts cannot be avoided, the business should understand the risk and apply stronger controls.

What to do if a password is compromised

If a password is known or suspected to be compromised, it should be changed promptly. The business should also check whether the account has been accessed, whether MFA settings were changed, whether email forwarding rules were created, whether files were accessed, and whether other systems use the same password.

Changing the password alone may not always be enough. Attackers may create persistence through active sessions, token access, mailbox rules, or linked applications. Businesses should have a simple response plan for compromised accounts.

At a basic level, staff should know who to contact, and the person responsible should know how to reset passwords, revoke sessions, review account activity, and check for suspicious changes.

Building a simple password policy that staff will follow

A useful password policy should be short, clear, and realistic. It should explain the minimum password length rules, when MFA is required, whether password managers are approved, how administrator accounts are handled, and what staff should do if they suspect compromise.

It should also make clear that passwords must not be shared, reused across work and personal accounts, or stored in unsafe places. Staff should understand that MFA prompts should only be approved when they are actively signing in.

The policy should be reviewed regularly, especially when Cyber Essentials requirements change or new systems are added.

Why UK Cyber Security Group is a practical place to start

UK Cyber Security Group offers Cyber Essentials certification for organisations that want a low-cost route with expert support. For many businesses, that combination matters because password and MFA requirements can seem simple until the business starts checking every account, cloud service, and administrator role.

A provider can help clarify what is in scope, what settings need to be reviewed, and what needs fixing before submission. This can save time and reduce frustration.

UK Cyber Security Group can also support businesses that want more than a one-off certificate. Password control, MFA, access review, and secure configuration all need to be maintained after certification. Good guidance helps the business build stronger habits, not just complete the assessment.

A practical password readiness checklist

Before starting Cyber Essentials, ask these questions:

Are all business accounts linked to named users where possible?

Are old staff and contractor accounts removed or disabled?

Are passwords at least 12 characters where there is no MFA?

Are passwords at least 8 characters where MFA is active?

Is MFA enabled for cloud services where available?

Are administrator accounts limited and protected?

Are default passwords removed from devices and systems?

Are common passwords blocked where possible?

Are staff told not to reuse work passwords elsewhere?

Is there a process for suspected password compromise?

Are password managers approved and managed sensibly?

Can the business explain how access is reviewed?

If any answer is unclear, it is worth resolving before assessment. These checks make the Cyber Essentials process smoother and strengthen the business at the same time.

Final guidance for business owners

Cyber Essentials password requirements are not about making staff memorise impossible strings of characters. They are about protecting business systems from common attacks that rely on weak, reused, guessed, or stolen credentials.

The core message is straightforward. Use strong passwords. Apply MFA where required and wherever sensible. Remove old accounts. Limit administrator access. Avoid shared credentials. Change passwords promptly when compromise is suspected. Keep the process clear enough that staff can follow it.

For UK businesses that want support, UK Cyber Security Group offers Cyber Essentials certification and practical guidance. Their service can help organisations understand the password and MFA requirements, prepare for assessment, and gain certification through a more manageable route.

Cyber Essentials is not only a badge. It is a useful way to improve day-to-day cyber hygiene. Strong password control is one of the clearest and most achievable steps any business can take.

UK Cyber Security Group Ltd is here to help

Please check out our Free Cyber Insurance

If you would like to know more, do get in touch as we are happy to answer any questions. Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us

You might also like
What is The Cyber Lounge?What is The Cyber Lounge?
Cyber Security for Schools: Meeting Government StandardsCyber Security for Schools: Meeting Government Standards
Cyber Essentials vs. IASME Cyber Assurance: Which Certification is Right for You?Comparing various forms of data extraction techniques
The Future of UK Cyber Regulation: What’s Coming NextThe Future of UK Cyber Regulation: What’s Coming Next
What are the advantages of SIEM?Cyber Security for Small to Medium Size Business
Top Cybersecurity Myths and Misconceptions: Busting Misinformation with UK Cyber Security GroupBLUE TEAM SECURITY PROTECTS AGAINST HACKERS
What are the advantages of SIEM?CYBER SECURITY FOR RETAIL
general data protection regulation gdprGeneral Data Protection Regulation (GDPR)

You can trust us with your cyber security

Our Certifications

 
PreviousNext
12
uk cyber security ltd logo footer

Follow us Online

UK Cyber Security Group Ltd
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.