Cyber Essentials
DashboardSign Out

Lesson 6.5 — Password-based authentication: password quality, technical controls and user guidance

This lesson helps the learner understand the Cyber Essentials password-based authentication requirements.

What You'll Be Able to Do

By the end of this lesson, you will be able to:

  • identify where password-based authentication is used
  • apply the required brute-force protections
  • choose appropriate password quality controls
  • support users with unique and usable passwords
  • avoid outdated password practices
  • collect password control evidence without recording actual passwords or secrets.

Why This Matters

It explains how passwords should be protected against brute-force guessing, how technical controls should manage password quality, how MFA changes password length expectations, how users should be supported to choose unique passwords, and how organisations should respond when a password or account is suspected to be compromised.

The most common problems are:

  • assuming MFA means passwords no longer matter;
  • relying only on user behaviour;
  • enforcing complexity but allowing common passwords;
  • forcing regular password expiry;

The Core Rule

Where passwords are used, Cyber Essentials expects them to be protected by technical controls.

Passwords must be protected against brute-force guessing by using MFA, throttling, or lockout after failed attempts.

What the CE Assessor Looks For

A strong position shows:

  • password-based systems are identified;
  • passwords are protected against brute-force guessing;
  • MFA is used where available;
  • throttling or lockout protects systems without MFA;
  • technical controls manage password quality;
  • minimum length rules are enforced correctly;

Common Mistakes

  • assuming MFA means passwords no longer matter;
  • relying only on user behaviour;
  • enforcing complexity but allowing common passwords;
  • forcing regular password expiry;
  • setting a maximum password length;
  • allowing unlimited login attempts;

Copy This

Keep this rule visible:

Use technical controls and secure storage so password security does not depend only on users remembering complex rules.

Quick Checklist

Before moving on, make sure you can say yes to these:

  • [ ] What is the main purpose of password-based authentication controls?
  • [ ] What are the three accepted brute-force protections?
  • [ ] What are the accepted password quality approaches?
  • [ ] Why should there be no maximum password length restriction?
  • [ ] Why should regular password expiry not be enforced?

Your Action

Do this now — it takes 10–20 minutes.

Review your password policy against CE requirements: at least 8 characters where MFA is used, or at least 12 characters without. Record your current position in Section UAC.

Key Takeaway

Use technical controls and secure storage so password security does not depend only on users remembering complex rules.

Your Workbook Activity

Complete: Password-based authentication control review record

Next Lesson

In the next lesson: Administrator accounts: separate admin accounts, privileged access and special access removal

Up next

Administrator accounts

Separate administrative access from standard user access and control privileged account lifecycle tightly.