Is your new firewall password configured to meet the 'Password-based authentication' requirements?
What this question is really asking
Describe how your firewall passwords are configured — specifically that they meet the standard's password requirements: not a default, not a common password, and of sufficient length. Options include a long random password stored in a password manager, or a passphrase. This replaced the narrower Montpellier question about new device password setup.
What satisfies this requirement
Select the applicable optionSelect option in use: A. MFA + min 8 chars; B. Automatic blocking of common passwords + min 8 chars; C. Min 12 chars; D. None of the above.
What to prepare before your assessor visit
A common pitfall: firewall management interfaces that were set up with a password that met the old standard's length requirement but no longer meets the current one. Audit all your firewall admin credentials against the current password requirements — not just the devices you recently configured, but every one in your inventory.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.