Most businesses still follow outdated advice that the NCSC says makes passwords weaker, not stronger. Find out where your policy stands โ and what to fix.
81%
of breaches involve weak or stolen passwords
โ3x
more likely to be reused when complexity is forced
Answer based on what you actually enforce โ not what's in a policy document no one reads.
๐ฌ๐งScored against NCSC guidance. Some answers that seem "strict" actually score lower โ the NCSC has updated its advice significantly since 2018.
What is your minimum password length?
The NCSC recommends at least 10 characters. Longer is better โ but complexity requirements on short passwords are counterproductive.
Do you require complexity rules?
Mandatory uppercase + numbers + symbols sounds secure but the NCSC says it encourages predictable patterns (Password1!) and discourages use of password managers. They no longer recommend mandatory complexity.
How often do you force password changes?
The NCSC explicitly recommends NOT forcing regular expiry. It leads to weak incremental changes (Password1 โ Password2) and fatigue. Change passwords only when a breach is suspected.
Do you block common or previously breached passwords?
Checking against known breached password lists (like Have I Been Pwned) is one of the most effective controls. "Password123" meets most complexity rules but is in every attacker's dictionary.
Controls & culture
Technical controls and user behaviour are just as important as the rules themselves.
Do you use Multi-Factor Authentication (MFA)?
MFA is the single most effective control against credential-based attacks. Even a stolen password becomes useless with MFA in place. The NCSC rates this as a top priority.
Do you allow or encourage password managers?
Password managers are how people actually achieve long, unique passwords per account. The NCSC explicitly encourages their use. Blocking them forces password reuse.
Do you have account lockout after failed login attempts?
Lockout after repeated failures prevents brute-force and credential-stuffing attacks. Without it, attackers can try millions of password combinations automatically.
Do staff receive password security guidance or training?
Even the best technical policy fails if staff don't understand why it exists. Phishing and social engineering bypass technical controls entirely โ human awareness is a key layer.