General FAQ's
      Back to home
      1. Knowledge Base
      2. Cyber Essentials FAQ
      3. General FAQ's

      Good Passwords

      What is a good password and how should we advise users

      So, what do you think is good practice with passwords?

      1. Please don't share them with anyone (at all, for whatever reason, never)
      2. Use a different password for every system/service/website you access.
        (thus, you need a password manager, really)
      3. Make passwords as long as possible, complex and difficult to guess
        (thus, you need a password manager, really)
      4. Set a minimum length of at least 12 characters (aligning with Cyber Essentials) if you don't have MFA/2FA enforced or automated-common password blocking (then we are looking for 8+MFA, 8+Automated Common Password Blocking)
      5. Please don't set a maximum length.
      6. Don't ask users to change passwords too often; they will write them down or weaken them by incrementing a digit on the end or similar. (Note: It has been proven that frequent changing of passwords leads to weaker passwords overall)
      7. Do change them periodically, if for something critical, to cover any compromised password which you do not know is compromised (something you lost control of due to a breached site, for example, that you haven't realised or been alerted to)
      8. Enable Multi-Factor (MFA) / Two Factor (2Fa) authentication if it is available on every single account (100% enabled and enforced on all cloud-based accounts), and if MFA/2FA isn't available, WHY ARE YOU USING IT?

      How is the above possible that is really difficult to manage?

      • Use a password manager to hold your passwords. You then have to have one complex password to access the "Vault," and with Multi-Factor Authentication (of course) to ensure that only you can access the Vault, you are sorted.

      What password manager should I use?

      To be honest, there are absolutely loads available on the market, and it's impossible for us to check and confirm which one is the best one to use. You need to determine what is best for your organisation and what services you need.
      1. Password sharing (where the system can have only one) is never exposed to the user utilising the password. They log in, and the actual password is provided to the device/site/service without their knowledge of it.
        1. Whilst not acceptable for Cyber Essentials Administrative controls, this is a solution for services with only a single password option that is shared with a limited number of admins, for example, a unique local admin per device.

          Admin Account Separation / Cloud Services / Multi-Factor Authentication on Cloud

        2. This solution is ideal for users who cannot see their password and cannot be asked to type it in anywhere it's not already linked, as they never know what it is.
      2. Single-Sign-On, using your Active Directory or another Global Authentication directory so users can access the password vault on their own, single sign-on, and the identity used to access everything else.
      3. Local Network Only or Cloud-Based: Do you want it only for your team internally or securely available anywhere? Is it just for you, your family, or a wider support team?
      4. Device support—what devices will you use the software on and what operating systems will it run on? It's no good if the solution doesn't work on all your devices.
      5. Browser Support - does it integrate into the browsers you use to log securely into websites for you?
      6. Desktop application/support for Applications (non-web-based) - do you have applications that need signing into that are not perhaps web-based and require the support of a password vault?
      7. User count and price: Will it support all the users you want to add to the product and at a suitable price point for your organisation?
      8. Reputation - what are other people saying about the solution

      The Password - What is a Good Choice?

      There are many schools of thought on password choice: those who like words (which can easily be cracked with rainbow tables), those who like alpha-numeric with complex characters (our preference) and those with other ideas.

      The key things are (we believe):

      • The longer, the better; no maximum set, min 12 characters
      • Some complexity (eliminating Rainbow Tables, but also as compute capacity is available now, prevents primary password cracking)
      • Not changed too often (eliminating writing it down or reducing safety with rotating numbers, such as P@55w0rd01, P@55w0rd02 etc)
      • Do not reuse it anywhere! - one per system/service/device
      • String words together, ThisHouseIsLovelyInTheSummer!!! And add some special characters
      • We like complexity 8hxZvi5XxJrqrAX3KEFAQKsVq, which is great in a password vault, but if you don't have one, use a string of words that mean something to you, like the above.
      • DO NOT WRITE THEM DOWN
      • Use Multi-Factor Authentication on everything that supports it—no excuses. If it is available, MFA it. Just as importantly, why are you even using it if it doesn't support MFA?

      Think About

      What happens if you are run over by a bus or hospitalised with something (e.g., COVID-19)? How would people manage to access your systems if you were the only holder of all the passwords?

      • A password vault with automated emergency access, for example, where nominated people can access your account if you don't decline that request within, for example, 48 hours after a request.