Cyber Essentials and password managers (1Password, Bitwarden, Dashlane)

Cyber Essentials and password managers (1Password, Bitwarden, Dashlane)

A password manager is effectively required by Cyber Essentials v3.3 - humans cannot remember unique 12-character passwords for dozens of services. 1Password, Bitwarden, Dashlane, and Keeper all satisfy the scheme's technical requirements if configured correctly. The configuration work is consistent across tools: enforce minimum length, require MFA to unlock the vault, turn on breached-password detection, separate personal and shared vaults, and integrate with your IdP for access control. Assessors will ask how staff store the 12-character passwords the scheme requires - "memorised" is not a credible answer.

1. Why a password manager matters for Cyber Essentials v3.3

The scheme requires:

• Minimum 12-character passwords on corporate accounts (or 8 with MFA, or 8 with throttling/lockout)
• Protection against common password lists - one of three options to meet password-based authentication security
• User access control - unique, named passwords per account, no sharing

Meeting (1) and (3) at scale without a password manager is not realistic. A password manager also gives you evidence - admin reports showing password strength, breach exposure, and 2FA adoption per user.

2. 1Password Business / Teams configuration

Security Policies (Admin Console):

• Master Password / Account Passphrase: require 12 characters minimum (1Password defaults to a secret-key + passphrase model, which is stronger than a password alone)
• 2FA required on every user account - enforce via a security policy
• Watchtower enabled for Dashboard - surfaces breached passwords, weak passwords, and reused passwords per user
• Travel Mode available for users crossing borders
• Recovery: Account recovery group composed of 2+ authorised admins

User management:

• SCIM provisioning from Okta, Entra ID, Google Workspace, or similar
• Users land in the right groups automatically; leavers lose access automatically
• Private vault per user for their business credentials
• Shared vaults scoped by team for passwords that legitimately need to be shared (there should be very few)

Evidence: Watchtower report, 2FA enrolment report, SCIM provisioning evidence.

3. Bitwarden (cloud or self-hosted)

Enterprise policies:

• Master password: minimum length 12, complexity on, require type (alphanumeric + special)
• Two-step login: required for all users; allow WebAuthn (FIDO2 keys), Authenticator apps, and Duo as factors; disable SMS/email if possible
• Password Health Reports - run weekly, track weak/reused/exposed passwords
• Single Sign-On (SSO) via SAML/OIDC - ties vault access to IdP MFA and leaver workflows
• Encrypted exports disabled for regular users; limit to admins
• Self-hosted deployments should run the official Bitwarden container set with HTTPS and backup + 14-day patching of the host

Organisations: use collections for shared credentials; avoid one giant "Everyone" collection.

4. Dashlane Business

• Minimum master password length 12
• 2FA required for every account, TOTP or U2F
• Dashlane Password Health score ≥ 80 per user before assessment
• Admin Console SCIM / SSO integration with Okta / Entra ID / Google
• Dark Web Monitoring on - surfaces breached personal emails associated with the account
• Secure Notes and Shared Collections for the small set of genuinely shared credentials

5. Shared credentials - use sparingly

Cyber Essentials emphasises user access control, which is at odds with shared logins. Most shared credentials can be eliminated:

• SaaS tools with per-seat licences - provision individual accounts
• Service accounts - move to SSO + API keys tied to named users
• Legacy systems without per-user login - document business need, rotate when staff leave, confine to a small shared vault with restricted group membership

If you find 50+ shared credentials, that's an access-control finding even if everything else passes.

6. Breach monitoring

All four tools (1Password, Bitwarden, Dashlane, Keeper) integrate with Have I Been Pwned or equivalents to detect credentials in known breaches. For Cyber Essentials this is one of three acceptable ways to "defend against common password lists" under v3.3.

7. Recovery and backup

• 1Password: secret key is essential; user cannot recover without it. Recovery is via the admin recovery group.
• Bitwarden: admin-enabled password reset feature lets admins recover user vaults (via public-key cryptography - encrypted re-encryption)
• Dashlane: account recovery key generated at setup

Document your recovery path. Assessors occasionally ask what happens if a user forgets their master password.

8. Evidence assessors expect

• Tenant admin console URL and admin list
• 2FA enrolment report showing ≥95% coverage
• Breach / weak-password report showing remediation cadence
• SCIM / SSO integration screenshot
• List of shared vaults and their membership

9. Common failure points

1. Personal 1Password / Bitwarden accounts used for work credentials instead of a Business/Enterprise account. Migrate to a managed tenant.

2. 2FA not enforced - usually a small tail of holdout users. Enforce at policy level with a cutover date.

3. Old shared vault from 2019 containing every credential ever used. Audit and reduce.

4. Weak master passwords surfaced by Watchtower / Password Health. Cycle the affected users.

What Fig checks

Our CE readiness scan asks for a sample export from your password manager admin console (Watchtower, Password Health, or Bitwarden Organisation report) and flags coverage and 2FA gaps against v3.3. Organisations with a rolled-out business password manager pass first-time at >97%.

Start Cyber Essentials - from £299.99 + VAT | Pricing tiers | CE Plus