Staff Password Policy (Cyber Essentials Aligned)

Last Reviewed: April 2026 | Owner: SIRO Dr Serena Haywood Cyber Essentials Compliance: Control 4.1 - Password-based Authentication

1. Password Requirements (Technical Controls)

CheckTick enforces password quality through the following technical controls, meeting Cyber Essentials standards:

1.1 Desktop/Laptop Devices (macOS/Windows/Linux)

All Default Passwords Changed: Upon initial device setup, all vendor-supplied default passwords are immediately replaced with unique passwords meeting the requirements below.

  • Standard User Accounts:
  • Minimum length: 12 characters (no maximum length restriction)
  • Must be unique (not used on any other system)
  • Protected by biometric authentication (Touch ID/Face ID/ Windows Hello) where available

  • Password required immediately after sleep/screen saver

  • Administrator Accounts:

  • Minimum length: 12 characters (no maximum length restriction)
  • Must be stored in approved password manager (Bitwarden)
  • Authentication via PAM module (pam_tid.so on macOS) using Touch ID/biometrics for sudo operations

  • Never used for day-to-day work activities

  • No Default or Guessable Passwords: Prohibited patterns include "password", "admin", "12345", organisation name, or predictable sequences

1.2 Mobile Devices (iOS/Android)

  • Screen Lock: Minimum 6-digit PIN or biometric authentication (Touch ID/Face ID/Fingerprint) required
  • All Default Passwords Changed: Factory default settings disabled on first boot
  • Remote Wipe Capability: Enabled via Apple/Google native management
  • App Passwords: All business apps (GitHub, email) protected by device biometric authentication

1.3 Cloud Services (GitHub, Northflank, Microsoft 365)

All cloud service accounts meet one of these Cyber Essentials- compliant configurations:

Administrative Accounts (Organisation Owners, Infrastructure Admin, Microsoft 365 Global Admin):

  • Minimum password length: 12 characters (exceeds CE requirement)
  • MFA mandatory (TOTP, Passkeys, or Biometric)
  • No maximum length restriction
  • Stored in Bitwarden password manager

Standard User Accounts:

  • Minimum password length: 8 characters with MFA, OR
  • Minimum password length: 12 characters with automatic common password blocking (100,000+ NCSC deny list)
  • No maximum length restriction

1.4 Technical Controls Summary (CE Requirement)

We implement all three Cyber Essentials technical control options:

  1. Multi-factor authentication โ€” Mandatory on all cloud administrative accounts (12+ char minimum, exceeds CE requirement)
  2. 12+ character minimum, no maximum โ€” Enforced on all devices and standard cloud accounts
  3. 8+ character minimum with deny list โ€” Enforced on standard user accounts with MFA and NCSC blocklist

2. Password Quality & Construction

  • Recommended Method: Use 'Three Random Words' method (e.g., Correct-Horse-Battery-Staple)
  • Non-Obvious: Do not use easily discoverable info (birthdays, pet names, 'CheckTick123')
  • Blocklists: Application layer blocks the most common 100,000 passwords using NCSC-recommended deny lists
  • No Maximum Length: Systems do not impose arbitrary maximum password lengths

3. Password Management & Storage

  • No Reuse: You must never reuse a password between systems. Your CheckTick infrastructure password must be unique.
  • Storage: Staff must use an approved Password Manager (Bitwarden). Writing passwords on paper or in unencrypted digital files is strictly prohibited.
  • Memorization: Staff must memorize their 'Master Password' for Bitwarden and their primary device login. These must never be recorded.

4. Authentication Methods & SSO

  • SSO Preference: Wherever possible, utilize OIDC/SSO (Microsoft 365 / Entra ID, GitHub) to reduce the number of managed passwords.
  • Multi-Factor Authentication (MFA): MFA is mandatory for all cloud services (GitHub, Northflank, Microsoft 365). Passkeys and Biometric (Touch ID) authentication are the preferred methods.
  • Microsoft 365 / Entra ID: Staff email and compliance mailboxes (checktick.uk) are authenticated via Microsoft 365 with MFA enforced at the tenant level. Entra ID serves as the organisational identity provider and is the same identity infrastructure underpinning NHSmail, enabling future OIDC integration with NHS Trust users.
  • Biometric Authentication (macOS): Touch ID configured via PAM module (pam_tid.so) to authorize administrative tasks (sudo operations), providing high-strength authentication without compromising efficiency.

5. Application-Level Password Controls

Our internet-facing services utilize Django-axes to prevent brute-force attacks by locking accounts after 5 failed attempts.

5.1 Common Password Deny List

Django's CommonPasswordValidator is configured with the NCSC 100,000 most-used passwords list (checktick_app/core/ncsc-passwords.txt), sourced from the SecLists NCSC collection. This replaces Django's built-in ~20,000-entry list and blocks all passwords appearing in the NCSC recommended deny list at the application layer.

6. Prohibition of Default Passwords (Cyber Essentials

Requirement)

  • Immediate Change: All default or vendor-supplied passwords must be changed immediately upon account creation.
  • Infrastructure: Passwords for infrastructure (Databases, API Keys) must be at least 20 characters and stored only in Bitwarden.

Policy Statement: All default or vendor-supplied passwords must be changed immediately upon device setup, account creation, or service provisioning.

Scope:

  • Network Equipment: Router admin passwords changed to 12+ character unique passwords (documented in Infrastructure Technical Change Log)
  • Desktop/Laptop Devices: macOS/Windows default passwords replaced on first boot
  • Mobile Devices: Factory default PINs/passwords changed during initial setup
  • Cloud Services: Default passwords on new accounts changed immediately (GitHub, Northflank, Microsoft 365, Namecheap)
  • Infrastructure: Database admin passwords (20+ characters minimum), API keys, all stored in Bitwarden
  • Microsoft Graph API: Application client secret stored as an encrypted Northflank environment variable, not in source code or version control. Rotated annually.
  • Social Media/Third-party Services: All accounts used for business protected by unique passwords + MFA

Verification:

  • Initial setup documented in Hardware Assets register
  • Regular review during bi-annual Infrastructure & Firewall audits (February & June)
  • Network device passwords verified during annual Cyber Essentials review

7. Regular Password Review & Maintenance

Cyber Essentials Requirement: Regular review to ensure no default or guessable passwords remain in use.

Review Schedule:

  • Monthly: Cloud service accounts reviewed for MFA compliance (Access Control Policy section 6.4)
  • Bi-annual: Device password compliance verified during infrastructure audits (February & June)
  • Annual: Full password policy compliance review during Cyber Essentials assessment; Microsoft Graph API client secret rotation
  • Ad-hoc: Immediate review following any security incident or staff departure

8. Response to Compromise (Rotation Process)

If a password is known or suspected to be compromised (e.g., through a phishing attempt, device loss, or service breach notification), the following "Prompt Rotation" process must be followed:

  1. Immediate Reset: The user must immediately change the password for the affected service using the Password Manager to generate a new, unique, 12+ character credential.
  2. Session Invalidation: After the reset, the user must use the service's "Sign out of all sessions" feature to force-evict any unauthorized active sessions.
  3. MFA Review: The user must verify that MFA settings (recovery codes, phone numbers, or authenticator devices) have not been altered.
  4. Device Scan: Any device used to access the compromised account must be checked for malware using native macOS security tools (XProtect/XProtect Remediator).
  5. Reporting: All suspected compromises must be reported to the CTO to be logged in the Technical Change Log for audit purposes.

8.1 Microsoft Graph API Secret Compromise

If the Microsoft Graph API client secret is known or suspected to be compromised:

  1. Immediate Rotation: Generate a new client secret in the Microsoft Entra app registration immediately.
  2. Update Northflank: Update the encrypted environment variable in Northflank with the new secret.
  3. Revoke Old Secret: Delete the compromised secret from the Entra app registration.
  4. Audit Send Logs: Review Microsoft 365 mail send audit logs for any unauthorised sending activity.
  5. Report: Log the incident in the Incident and Near-Miss Log and notify the SIRO.