Have you changed the default password for all user and administrator accounts on all your desktop computers, laptops, thin clients, servers, tablets and mobile phones?
What this question is really asking
Confirm that default passwords have been changed for all user and administrator accounts across all in-scope devices and services. This includes routers, printers, NAS devices, webcams, and any other networked equipment — default credentials are the first thing an attacker will try. Create a list of all devices where defaults could exist and verify each one.
What satisfies this requirement
Yes or NoUnique passwords not made up of common or predictable words.
What to prepare before your assessor visit
This question regularly trips up organisations that overlooked network-attached storage, printers, webcams, and other peripheral devices that were set up quickly and whose default credentials were never changed. Do a thorough walkthrough of your network — every device with a web interface or a login prompt needs its defaults changed. Printers and NAS units are the most commonly forgotten categories.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.