๐Ÿ” Free Tool ยท No Login Required

Is your password policy
working against you?

Most businesses still follow outdated advice that the NCSC says makes passwords weaker, not stronger. Find out where your policy stands โ€” and what to fix.

81%
of breaches involve weak or stolen passwords
โ†‘3x
more likely to be reused when complexity is forced
NCSC
says mandatory expiry makes policies LESS secure
1
Your Policy
2
Controls & Culture
Your password rules
Answer based on what you actually enforce โ€” not what's in a policy document no one reads.
๐Ÿ‡ฌ๐Ÿ‡ง Scored against NCSC guidance. Some answers that seem "strict" actually score lower โ€” the NCSC has updated its advice significantly since 2018.
What is your minimum password length?
The NCSC recommends at least 10 characters. Longer is better โ€” but complexity requirements on short passwords are counterproductive.
Do you require complexity rules?
Mandatory uppercase + numbers + symbols sounds secure but the NCSC says it encourages predictable patterns (Password1!) and discourages use of password managers. They no longer recommend mandatory complexity.
How often do you force password changes?
The NCSC explicitly recommends NOT forcing regular expiry. It leads to weak incremental changes (Password1 โ†’ Password2) and fatigue. Change passwords only when a breach is suspected.
Do you block common or previously breached passwords?
Checking against known breached password lists (like Have I Been Pwned) is one of the most effective controls. "Password123" meets most complexity rules but is in every attacker's dictionary.