Where you have systems that require passwords (or where passwords are a backup for a passwordless system), how are they protected from brute-force attacks?
What this question is really asking
Describe your password policy — minimum length, complexity requirements, and how the policy is technically enforced. Assessors will ask how the policy is implemented in systems such as Active Directory password policy, Azure AD, or MDM profiles — a written policy document alone is not sufficient evidence.
What satisfies this requirement
A written response is requiredBrute-force protection: MFA; throttling (max 10 guesses in 5 min); or lockout after 10 attempts.
What to prepare before your assessor visit
The minimum password length increased in Danzell — if you set your Active Directory password policy to the Willow minimum and haven't reviewed it since, check it now. More importantly, be prepared to show the actual configured policy in your directory, not just describe it. Screenshots of your AD or Azure AD password policy settings are the expected form of evidence.
How this question sits across CE versions
Related policy templates
Getting certified means having documentation to back it up. These policy templates cover the controls this question tests.
Does your organisation meet this requirement?
Answer 30 plain-English questions and find out exactly where you stand across all 5 Cyber Essentials control areas — with a prioritised list of what to fix first.