Cyber Essentials Password Policy

Passwords play an important role in the Cyber Essentials scheme as they are a common means of authenticating true users, while preventing unauthorized access. Two of the five controls in the UK Government’s Cyber Essentials scheme address password security requirements directly. The controls are designed to defend against common cyber attacks, such as phishing, and manual/automated password guessing.

5 key controls of Cyber Essentials

The Cyber Essentials security controls can prevent around 80% of cyber attacks, according to the UK government. There are five technical control topics included in the scheme:

• Firewalls
• Secure Configuration
• User Access Control
• Malware Protection
• Patch Management

The Cyber Essentials password policy guidance can be found in Secure Configuration and User Access Control.

What is Secure Configuration?

The objective of Secure Configuration is to ensure that computers and network devices are configured to reduce the level of inherent vulnerabilities. Devices should only provide the service required to fulfil their role. In addition to computers and network device requirements, the Secure Configuration control details password-based authentication. In a shift away from password complexity, the requirements place the technical password burden on systems, as opposed to relying on users following good practices. To achieve the certificate an applicant must fulfil the following (from the Cyber Essentials website):

• protect against brute-force password guessing, by using at least one of the following methods:
  • lock accounts after no more than 10 unsuccessful attempts
  • limit the number of guesses allowed in a specified time period to no more than 10 guesses within 5 minutes
• set a minimum password length of at least 8 characters
• not set a maximum password length
• change passwords promptly when the Applicant knows or suspects they have been compromised
• have a password policy that tells users:
  • how to avoid choosing obvious passwords (such as those based on easily-discoverable information like the name of a favorite pet)
  • not to choose common passwords — this could be implemented by technical means, using a password deny list
  • not to use the same password anywhere else, at work or at home
  • where and how they may record passwords to store and retrieve them securely — for example, in a sealed envelope in a secure cupboard
  • if they may use password management software — if so, which software and how
  • which passwords they really must memorize and not record anywhere

The Applicant is not required to:

• enforce regular password expiry for any account (we actually advise against this — for more information see The problems with forcing regular password expiry)
• enforce password complexity requirements

What is User Access Control?

User Access Control ensures user accounts are assigned to authorized individuals only. Access should only be granted to those applications, computers, and networks that are actually required for the user to perform their role. You can reduce the risk of information being stolen or damaged by granting only as much access as needed. This technical control defines requirements of privileged accounts and processes for limiting access. The requirements include the following (from the Cyber Essentials website):

• have a user account creation and approval process
• authenticate users before granting access to applications or devices, using unique credentials (see Password-based authentication)
• remove or disable user accounts when no longer required (when a user leaves the organisation or after a defined period of account inactivity, for example)
• implement two-factor authentication, where available
• use administrative accounts to perform administrative activities only (no emailing, web browsing or other standard user activities that may expose administrative privileges to avoidable risks)
• remove or disable special access privileges when no longer required (when a member of staff changes role, for example)

Cyber Essentials certification and accreditation bodies

The overall goal of the Cyber Essentials scheme is to help organisations guard against common cyber threats and show their commitment to cyber security. There are five accreditation bodies that can help with assessment and certification. The following accreditation bodies are listed on the NCSC’s website: APMG, CREST, IASME, IRM and QG Management Standards. The Cyber Essential certification is a stamp of approval that an organisation has put the most critical cyber security measures in place.

For more information about Cyber Essentials certification, check out the FAQ on the NCSC’s website. Remember, Cyber Essentials certification should be renewed annually to remain on the official register of certified businesses.

Cyber Essentials password policy requirements

If you are planning for Cyber Essentials accreditation you will need to make sure your password policy is up to the challenge. Shift the password burden away from your users, and place it instead on the technical systems. For example, you could use a password deny list to stop leaked passwords, lock accounts after repeated login attempts, and stop periodic password expirations. You should also limit the number of users who have privileged access, and use those accounts for only the task that is required of them.

Free password auditor tool to detect breached passwords

Specops Password Auditor is a free tool that can address password-related threats in Active Directory. IT departments use the software to identify accounts using compromised passwords in their organization. The auditor also reports how the password settings in your organization compare with industry standards. 

Specops Password Auditor is a read-only program. Download: https://specopssoft.com/product/specops-password-auditor/