Cyber Essentials Password Requirements Under Danzell
Cyber Essentials Password Requirements Under Danzell
Danzell changed the password game for CE completely. Previously you had a password length, bolted on some complexity rules, and moved on, but that approach is finished. There are now three authentication options, and MFA requirements got stricter. So what do you actually need to get right?
The three authentication options
CE gives you three ways to satisfy the access control requirement. You don't have to pick the same option for every system. But you do need to know which option covers which system, because I will ask.
Option 1: MFA + minimum 8 characters
Multi-factor authentication turned on, plus a password of at least 8 characters. No complexity requirements and no throttling requirement beyond what MFA already provides.
This is what the NCSC wants you to use, and I agree with them. MFA means a stolen password on its own gets an attacker nowhere. They've still got the second factor to deal with. The 8-character minimum is a floor, not a target.
Option 2: 12 characters + throttling
At least 12 characters, plus automatic throttling that locks the account after no more than 10 failed attempts within a defined period.
This one's for systems where MFA genuinely isn't available. The longer password compensates for the missing second factor, and throttling stops brute-force attacks. I see this most on legacy line-of-business apps that just won't support MFA.
Option 3: 8 characters + throttling
At least 8 characters, plus automatic throttling (same 10-attempt limit).
This is the minimum bar for the scheme. It'll pass, but it's the weakest option by a long way. An 8-character password without MFA relies entirely on throttling. Would I be comfortable with it for anything sensitive? Not at all, not for one second. But for a shared printer login or something genuinely low-risk, it scrapes through.
Where MFA is mandatory (regardless of option)
Even if you've gone with Option 2 or 3 for general accounts, MFA is still required in two places:
All cloud services accessible over the internet - Microsoft 365, Google Workspace, Xero, Slack, your CRM, your backup platform. If it's cloud-based and accessed over the internet, MFA is required without exception.
All internet-facing administrative portals - firewall admin panels, router management interfaces, hosting control panels, DNS management. If it is reachable from the internet, MFA is required regardless of which password option you chose.
These two trip up more businesses than the password options. I regularly see MFA sorted on Microsoft 365 but completely missing from accounting software, HR platforms, or the backup portal nobody remembered existed. How many cloud services does your business actually use that you haven't thought about?
What CE doesn't require
Complexity rules: CE doesn't require uppercase, numbers, or special characters. The NCSC dropped complexity because it produces predictable patterns. "P@ssw0rd!" satisfies every complexity rule ever written. And it's in every breach database going, so what's the point?
Regular password changes: CE doesn't require forced rotation. The NCSC position is pretty clear: forced changes lead to weaker passwords. People just increment a number or swap one character. Change passwords when you've got reason to think they're compromised, not on a schedule.
Password managers: CE doesn't require them. But honestly, using one makes the whole thing easier. A password manager generates and stores unique passwords for each service, so the 12-character minimum becomes trivial.
How the assessment checks passwords
During CE Plus testing, I verify password requirements through a combination of:
- Policy review: checking Active Directory, Azure AD, or Google Workspace policies to confirm minimum length and throttling settings match the declared option
- MFA verification: attempting to log in to cloud services and confirming MFA is prompted. If a service doesn't prompt for a second factor, it fails
- Throttling testing: verifying accounts lock after the specified number of failed attempts
- Admin account checks: confirming admin accounts use MFA regardless of which option is chosen for standard users
What I'm testing is what's actually enforced, not what's written down. I've lost count of how many times someone's shown me a policy document that says "12 characters minimum" while Active Directory happily accepts 6. That gap between paper and reality catches people out more than anything.
Common failures I see
MFA configured but not enforced: MFA is switched on as an option but users can skip it. So anyone who hasn't bothered setting it up just logs in with a password. The policy needs to enforce MFA, not suggest it. I see this almost weekly.
Throttling not configured on local accounts: Windows local accounts don't have throttling by default. If you're using Option 2 or 3, you need account lockout policies through Group Policy or equivalent. People forget this constantly, and I get it, it's not obvious.
Service accounts with no MFA: Shared accounts for integrations, automated processes, legacy apps. Often no MFA at all. If they can access cloud services, they need MFA, or you need to descope them with proper justification. Have you checked yours recently?
Admin portals without MFA: The firewall management interface. The hosting panel and the domain registrar are high-value targets, every one of them. But how many admin portals does your organisation actually have? Most businesses I assess can't answer that straight away.
Practical recommendations
Use Option 1 wherever possible: MFA is your strongest defence against credential attacks. Most cloud services support it natively. So unless you've got a genuine technical blocker, just use it.
Default to 12 characters for Option 2: When MFA genuinely isn't available, go with 12 characters and throttling. Three random words work better than a short password stuffed with symbols. (referenced in the operational perimeter benchmarking report).
Audit MFA coverage quarterly: New cloud services get added throughout the year. Every one needs MFA before your next assessment. It's the kind of thing that drifts if nobody's watching.
Test throttling: Actually try locking an account after 10 failed attempts. Don't assume the policy does what you think. Verify it.
For a full walkthrough of all five CE controls under Danzell, read the Danzell changes guide. To check where your controls stand now, the readiness quiz takes five minutes.
Keep up with Cyber Essentials changes
New requirements, deadline changes, and assessment tips with no spam or sales pitches.
Subscribe to the newsletter | Follow Daniel on LinkedIn
Related articles
- Danzell Changes 2026 Guide
- Password Manager and Cyber Essentials
- MFA for Cloud Services Under CE
- Passwordless Authentication and CE
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Can Your CE Basic Certificate Be Revoked? What Happens When You Fail CE Plus Under Danzell
Under Danzell, failing the CE Plus second sample scan can revoke your CE Basic certificate too. Here is how revocation works, what it costs, and how to prevent it.
Cyber Essentials Plus First-Time Pass: What Danzell Actually Requires
Under Danzell, CE Plus scans must pass first time. No remediation during the assessment. Here is the double sampling process, what triggers it, and how to prepare.
Why RMM Scanners and Windows Defender Will Fail Your Cyber Essentials Plus Assessment
RMM tools and Windows Defender are not approved for CE Plus internal vulnerability scans. Here is what the assessment actually requires and why your IT provider's scanner will miss critical vulnerabilities.
Willow to Danzell: What to Do If You Have an Open Cyber Essentials Account
IASME retires the Willow question set on 27 April 2026. If you have an open Willow account, here are the deadlines, what happens if you miss them, and what to do next.
Why Danzell Makes Cyber Essentials Plus Worth Having
Danzell CE+ with whole-org scope, fortnightly scanning, and fortnightly patching is the first time CE has delivered genuine security. This article makes the case.
Danzell Readiness Checklist: Are You Ready for CE v3.3?
A practical checklist covering every change you need to make before the Danzell question set takes effect on 27 April 2026.
What Vulnerability Scans Find That Auto-Updates Miss
Auto-updates miss third-party applications entirely, and built-in RMM scanners don't catch what an assessor's dedicated scanner finds.
Cyber Essentials BYOD Policy: Which Personal Devices Are in Scope Under Danzell
A practical cyber essentials BYOD policy guide. Learn which personal devices fall in scope under Danzell v3.3, what's excluded, and how to classify them.
Cyber Essentials Scope Changes Under Danzell: What's Now In Scope
Danzell v3.3 changes what falls in scope for Cyber Essentials. Cloud services can't be excluded, partial scope needs justification, and two qualifiers have been removed from the scope criteria.
Danzell vs Willow: What Actually Changed in Cyber Essentials
Side-by-side comparison of Willow v3.2 and Danzell v3.3 Cyber Essentials requirements. Same five controls. Different scope, definitions, and enforcement.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.