Customer Service: 0800 711 7111

Telecoms Support
IT Support
Online Billing

World Password Day 2026 Is a Wake-Up Call for Business Cyber Security

HomeAll Posts...World Password Day 2026 Is a Wake-Up Call for...
Customer Updates 7th May 2026
Share

Cyber Security

World Password Day 2026: What Your Business Actually Needs to Do

Published 7 May 2026  •  Excel Communications IT & Cyber Security Team

Today is World Password Day, and if your reaction is “yes, I really should change that one”, you are not alone. But in 2026, that is no longer the whole conversation.

The threat landscape has shifted significantly. AI has industrialised credential attacks, covering phishing that defeats standard user training, voice cloning that passes help-desk identity checks, and automated credential stuffing operating at scale.[1]

The entry point for most breaches is not a sophisticated hack.

84% of UK cyber incidents affecting small and medium businesses involved missing MFA, weak passwords, or misconfigured cloud services.

NCSC Annual Review 2025 [2]

All three are fixable. As a business, the question is not whether you have a password policy. It is whether it actually holds up.

What the latest guidance tells us

The NCSC updated Cyber Essentials to v3.3 at the start of this year, and the changes reflect exactly where attackers are pushing hardest. The minimum password length has increased from 8 to 12 characters for all user accounts. Where MFA genuinely is not possible, that rises to 14. Password policies must now also actively block commonly breached passwords.[2]

Passwords such as “Password1!” and “CompanyName2025!” need to be on that blocklist. If your system currently accepts them, that is a fail under the new standard.

More significantly, MFA is now mandatory on every cloud service that stores, processes, or transmits organisational data, with no exceptions.[2]

That means Microsoft 365, your CRM, your cloud phone system, your billing platform. Every door that opens onto your data needs a second lock.

Home working infrastructure is now fully in scope too. Home routers must meet minimum security requirements, including changed default passwords and current firmware.[2]
If your team works remotely and you have not yet considered this, today is a good day to start.

And if your staff use personal devices to access work email or Microsoft 365, those devices are now in scope under the updated BYOD rules, unless you can technically demonstrate they cannot hold organisational data.[3]

For most businesses, that means Mobile Device Management is no longer optional.

What to do about it

The practical steps are straightforward, even if implementing them properly takes some work. Enforce a 12-character minimum password policy across all accounts.[4]

Deploy MFA everywhere, not just on the obvious systems. Review your cloud service configurations, as default settings on new tenants rarely meet the standard out of the box. If your staff are working from home, have a conversation about what is sitting between their laptop and your data.

The NCSC’s own recommendation for passwords without MFA behind them is worth repeating: use three random words, something like coffee-trampoline-window. It is long enough to meet the 12-character requirement, memorable for users, and genuinely resistant to brute-force attacks.[4]

Cyber Essentials v3.3 Checklist

  • Minimum 12-character passwords for all accounts (14 where MFA is not available)
  • Block commonly breached passwords via a managed blocklist
  • MFA mandatory on every cloud service handling organisational data
  • Home routers in scope: default passwords changed, firmware current
  • BYOD devices in scope if they can access work email or Microsoft 365
  • Cloud service configurations reviewed and hardened beyond defaults

If you are working towards Cyber Essentials certification, whether for a contract requirement, a client expectation, or simply to understand where you stand, one further benefit is worth knowing. UK organisations with a turnover under £20m who certify their whole organisation receive 12 months of cyber insurance at no additional cost, covering incident response, data breach costs, and business interruption.[5]

How we can help

At Excel Communications, our Cyber Essentials service and EnCare IT support packages are built around exactly this kind of practical, ongoing protection rather than a one-off box-tick. We work with businesses across a range of sectors to understand their current setup, identify gaps against the current standard, and put the right controls in place.

If you are unsure whether your business meets the v3.3 requirements, or you would simply like a straightforward conversation about where the risks are, we are here.

Ready to get your business certified?

Speak to our Cyber Essentials team today and we will walk you through the process from start to finish.

Talk to our team →

References

  1. Hollingworth, D. (2026). The industry speaks: World Password Day 2026. Cyber Daily.
    cyberdaily.au
  2. Nerdster. (2026). Cyber Essentials 2026: v3.3 Changes You Need to Know.
    nerdster.co.uk
  3. Connection Technologies. (2026). Cyber Essentials Requirements UK 2026: IASME v3.2 Guide.
    connection-technologies.co.uk
  4. CloudSwitched. (2026). Cyber Essentials Requirements Checklist for 2026.
    cloudswitched.com
  5. Shonsys. (2026). Cyber Essentials Certification: A Complete 2026 Guide.
    shonsys.com

Related Posts

COVID-19 Virus Can Survive up to 4 Weeks on Mobile Phones
Customer Updates
13th October 2020
Dead Scary Savings on VoIP for Businesses this Halloween
Customer Updates
23rd October 2024

Leave a Comment

I accept the Privacy Policy