Creating A Cyber Essentials Password Policy

The Cyber Essentials assessment has several different requirements to establish a Cyber Essentials password policy and apply it to authentication systems in use for your organisation.

The documentation available from IASME and the National Cyber Security Centre (NCSC) which references the specific password requirements includes the following:

• The Cyber Essentials Self-Assessment Questionnaire
• The Cyber Essentials Requirements for IT Infrastructure

The Cyber Essentials password requirements are detailed across several different documents which include requirements for passwords, user accounts, and device types, such as Firewalls, Computers, Network Devices, and Cloud Services.

The following password security requirements can be implemented within your organisation, to maintain and adhere to the Cyber Essentials controls related to password complexity and account management.

Cyber Essentials Password Policy

Account Management

• Change or remove default accounts such as Guest and Administration accounts where possible.
• Change any default account passwords in line with the password complexity rules defined below.
• Create a unique account and unique password for all individuals who require access.
• Define an account creation process and ensure new accounts are only created upon approval from a suitable authorized individual within the company.
• Where the account creation involves administration accounts, ensure a formal documented process is followed and the accounts are approved in writing before creation, by a suitably authorized individual, such as the business Owner, Director, Trustee, or Partner.
• Maintain a documented list of accounts that have been created within the organisation and who they have been issued to, allowing for accounts to be tracked, monitored or disabled where necessary.
• Define an account removal process and ensure that each account associated with an individual is removed or disabled as they leave the company.
• Define user roles, permissions, and the access they should maintain. Where accounts are created or changed, ensure that only the necessary permissions are assigned to each account.

Administrator Account Management

Ensure that each allocated administrator account is tracked and documented within the company, and review this list of accounts regularly to ensure only necessary admin accounts are in use.

Where necessary to issue an administrator account to a user, ensure this is not used for typical daily use, and where applicable issue a secondary standard/low-permission account to the same user for daily usage.

Daily tasks and activities such as checking emails, using the internet, and opening documents, should be conducted with the standard account, and the administrator account should be reserved for specific authorization actions where considered necessary and approved.

Password Complexity

For authentication systems ensure account login protection through one of the following password complexity rules:

• Enabling Multi-Factor Authentication, with a password configured of at least 8 characters but with no maximum length restrictions.
• Configure a 12-character minimum password requirement but with no upper character limit.
• Configure an 8-character minimum password requirement but with no upper character limit and the automatic blocking of common passwords using a deny list.

Account Lockout

For authentication systems, account login protection should also be enabled through one of the account lockout systems, to minimise the potential of brute-force password attacks:

• Enabling Multi-Factor Authentication, with a password configured of at least 8 characters but with no upper character limit
• Limiting or throttling the number of login attempts that can be made. This method increases the amount of time a user must wait to attempt another login after any unsuccessful login attempts. There should be a maximum of 10 attempts within 5 minutes.
• Locking the account and/or device after a maximum of 10 unsuccessful login attempts.

Internet Facing Login Services

For Cloud services, Multi-Factor Authentication should always be used.

For managed, internet-facing, administration interfaces authentication should be protected by either:

• Enabling Multi-Factor authentication, with a password configured of at least 8 characters but with no upper character limit
• Creating a restricted list of IP Addresses which are the only ones that can access the interface

Device Unlocking

For devices where an account is required solely for unlocking the device and requires physical interaction, such as a laptop or mobile phone:

• Biometrics, such as Face ID, and Fingerprint, can be used solely for unlocking the device.
• Biometrics should be backed up with a PIN or Password of at least 6 characters, where the account is solely for unlocking the device. If the same account is used to access any other services, the previous password complexity requirements apply.
• Where available, one of the previously defined account lockout systems should also be applied to device unlocking systems.

User Education and Training

For user education, advice, and guidance on choosing and maintaining secure passwords, the following information can be provided:

• User education and training can be provided through Security Awareness training as provided in the following article.
• Users should be aware of common words and patterns that are often incorporated into passwords and can allow an attacker the opportunity to compromise accounts, such as those detailed in the following lists. These types of common passwords should always be avoided.
• Users should be encouraged to choose longer more complex passwords, by considering a ‘passphrase’ rather than a ‘password’. This involves choosing longer passwords consisting of a phrase which is memorable to the individual but limits the potential of cyber attacks to guess passwords.
• Users can be helped with password management, by utilising password management software within the organisation. A password manager often has features to randomly generate complex passwords of a predefined length, which can remove the dependence on users selecting a secure password.
• Users can be helped with password management by an organisation not implementing regular password expiry or password complexity rules, although this can sometimes seem insecure and counter-intuitive. When users need to remember multiple passwords that continually need to be reset it often encourages bad password habits. This can often be seen in iterative and predictable password patterns that meet the minimum complexity requirements, such as Password1!, Password2!, Password3!, or January 2024!, February2024!, March2024!. Moving away from regular password resets and encouraging more secure password practices, account lockout methods, and Multi-factor Authentication (MFA) creates a more secure configuration for your authentication systems.
• Users issued with administrator accounts should receive additional training to understand the risks and dangers that can arise from the compromise of such accounts. Day-to-day activity should never be conducted using administrator accounts but should use separate standard/low-permission accounts, with only specific and necessary actions carried out with an administrator account where necessary and approved.

Password Reset

For instances where a password reset is required, such as in the event of a user locking out their own account, setup the following:

• A documented list of each of the authentication systems in use within the organisation
• Locations or instructions a user can follow for resetting their password, or the relevant contact information for requesting a password reset
• Contact information to report any unusual behavior that is encountered or potential signs of an account compromise.

Account Compromise

For instances of account compromise, it is important to take proactive steps to reduce the likelihood of compromise and react quickly when it does occur:

• Maintain a documented process for individual authentication systems, with instructions for administrators to quickly change passwords promptly or disable accounts where an account compromise is suspected.
• Maintain a maximum timeframe for responding to suspicious account activity, to ensure a potential account compromise is quickly addressed and resolved.
• Conduct a regular review of your account login activity to identify any suspicious or unusual login activity.
• Enable alert features where available, to automatically raise a notification if unusual or suspicious account activity is identified.

Conclusion

Cyber Essentials requires multiple policies and processes, in addition to technical controls to be maintained in order to achieve certification.

While initially working through the assessment standard there can be a number of new requirements which any business may need to implement by creating compliance documents, or setting up an established process, to ensure they protect themselves from the latest cyber threats.

Where your organisation is working through the Cyber Essentials standard or aiming to achieve Cyber Essentials Plus, the following articles may be useful in taking a positive step toward certification.

• Defining The Cyber Essentials Scope
• A Cyber Essentials Checklist
• Cyber Essentials Plus Requirements

Where you have any further questions regarding different cybersecurity solutions or the Cyber Essentials certification program, our consultants are available to address any concerns you may have.