Cyber Essentials Self Assessment: Password-Based Authentication

This security wiki provides guidelines for implementing password-based authentication practices within your organisation. Follow these recommendations to enhance the security of user accounts and protect against unauthorised access.

A7.10. Protection Against Brute-Force Password Guessing

Your organisation must take steps to protect accounts from brute-force password guessing attacks. Measures should include:

• Implementing account lockouts or throttling after a defined number of unsuccessful login attempts.

• Applying rate-limiting on login requests.

• Using additional controls such as CAPTCHA or automated bot-detection systems where appropriate.

• Monitoring authentication logs for abnormal login attempts.

A7.11. Technical Controls for Password Quality Management

Your organisation should enforce minimum password quality controls in line with Cyber Essentials 2025 requirements:

• Passwords must be at least 12 characters long. If Multi-Factor Authentication (MFA) is enabled, a minimum of 8 characters is acceptable.

• Complexity rules (mix of characters) are no longer required by default — instead, encourage the use of passphrases (e.g., three random words).

• Password expiration policies should only be applied if there is evidence of compromise; routine forced resets are discouraged.

• Provide password strength indicators to guide users towards creating strong passphrases.

A7.12. Encouraging Unique and Strong Passwords

Your organisation should adopt the following practices to promote stronger user behaviour:

• Provide clear guidance encouraging users to use unique, non-reused passphrases for every system.

• Promote the use of password managers for generating and securely storing strong credentials.

• Incorporate password hygiene into staff awareness training, covering phishing risks and credential reuse.

A7.13. Process for Compromised Passwords or Accounts

If a password or account is suspected or confirmed to be compromised:

1. Immediately force a password reset for the affected account(s).

2. Require users to set a new password in line with current standards (minimum 12 characters or 8 with MFA).

3. Review authentication logs for signs of further unauthorised access.

4. Investigate the incident and apply additional protective controls where needed (e.g., temporary account suspension, additional monitoring).

A7.14. Availability of Multi-Factor Authentication (MFA) in Cloud Services

All cloud services used by the organisation must provide MFA as a built-in feature. MFA should be enabled by default for all user and administrator accounts. Refer to the NCSC guidance on MFA implementation for best practice.

A7.15. Cloud Services without MFA Option

If any cloud service does not currently offer MFA, document those services and:

• Explore whether alternative authentication methods are available (e.g., Single Sign-On with enforced MFA).

• Apply compensating controls such as IP allow-listing or device restrictions until MFA is available.

• Where possible, consider replacing the service with one that supports MFA.

A7.16. MFA Applied to Cloud Service Administrators

MFA must be enabled for all administrators of cloud services. Administrators should authenticate with MFA in addition to a password (minimum 12 characters, or 8 if MFA is in place). Hardware tokens or mobile authenticator apps are strongly recommended over SMS codes.

A7.17. MFA Applied to Cloud Service Users

MFA should also be applied to all standard cloud service user accounts, not just administrators. This adds a critical extra layer of protection, especially against phishing and credential reuse attacks.

Summary

Implementing robust password-based authentication practices — including passphrase-based passwords, monitoring for brute-force attempts, and enforcing MFA across all accounts — significantly reduces the risk of unauthorised access and strengthens organisational security.