Long, unique, and managed credentials for admin accounts
Ensure admin account credentials are strong, unique, and well-managed.
Plain language
This control is all about making sure that the passwords or keys admin accounts use are really hard to guess or crack. If these passwords are weak or reused across systems, someone trying to break in could take over your entire network. Think of it like having a super strong lock on the most important door to your house.
Framework
ASD Essential Eight
Control effect
Proactive
E8 mitigation strategy
Restrict administrative privileges
Classifications
N/A
Official last update
N/A
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2
Official control statement
Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.
Why it matters
Weak or shared admin credentials let attackers brute-force or reuse passwords to gain privileged access, move laterally, and rapidly compromise critical systems.
Operational notes
Audit break glass, local admin and service account credentials for length, uniqueness and rotation; store in an approved password vault and disable shared/reused passwords.
Implementation tips
- The IT team should generate strong passwords for admin accounts. Use a password manager to create and store passwords that are at least 15 characters long and include a mix of letters, numbers, and symbols.
- The system administrator should regularly update admin account credentials. Set a schedule to change passwords every six months to ensure they stay secure and up-to-date.
- The security officer should ensure credentials are unique and not reused across multiple accounts. Use a unique password for each admin account to reduce the risk of a breach affecting multiple areas.
- The IT team should manage service account credentials through automated tools. Implement tools like a password vault to securely manage and rotate service account passwords automatically.
- The IT department should monitor 'break glass' account access. Set up alerts and logging to track the use of these emergency accounts to ensure they are used appropriately.
Audit / evidence tips
-
AskHow does the organisation ensure that admin passwords are long and unique?
-
GoodPassword policy documents establish minimum length and complexity for admin passwords, and a password manager is used to ensure uniqueness
-
AskHow often are admin passwords updated?
-
GoodPassword change records show updates every six months as required by policy
Cross-framework mappings
How E8-RA-ML2.5 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires a controlled process for allocating and managing authentication information, including how credentials are handled ... | |
ASD ISM
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (7) expand_less | ||
| ISM-1590 | ISM-1590 requires organisations to change user account credentials when compromise is confirmed or suspected, when credentials are expose... | |
| ISM-1612 | ISM-1612 requires that break glass accounts are only used for specific authorised activities (i.e., emergency-only use with explicit auth... | |
| ISM-1614 | ISM-1614 requires break glass account credentials to be changed by the account custodian after emergency access by any other party | |
| ISM-1795 | E8-RA-ML2.5 requires credentials for break glass, local administrator, and service accounts to be long, unique, unpredictable, and managed | |
| ISM-1842 | ISM-1842 requires dedicated privileged service accounts to add machines to the domain, reducing exposure from using standard or personal ... | |
| ISM-1847 | ISM-1847 requires organisations to change the KRBTGT service account credentials twice (with replication between changes) when compromise... | |
| ISM-1949 | ISM-1949 requires AD FS administration to occur via a dedicated account that is not used to administer other systems | |
| handshake Supports (4) expand_less | ||
| ISM-1227 | ISM-1227 requires credentials set for user accounts to be randomly generated to improve password unpredictability | |
| ISM-1615 | E8-RA-ML2.5 requires break glass, local administrator and service account credentials to be long, unique, unpredictable and managed | |
| ISM-1619 | ISM-1619 requires service accounts to be created as gMSAs so their credentials are system-managed rather than manually set and reused | |
| ISM-2081 | ISM-2081 requires that all ASCII printable characters are supported for passwords, enabling stronger and more flexible password construction | |
| link Related (3) expand_less | ||
| ISM-1685 | E8-RA-ML2.5 requires credentials for break glass accounts, local administrator accounts and service accounts to be long, unique, unpredic... | |
| ISM-1953 | E8-RA-ML2.5 requires credentials for break glass accounts, local administrator accounts and service accounts to be long, unique, unpredic... | |
| ISM-1954 | ISM-1954 requires credentials for built-in Administrator, break glass, local administrator and service accounts to be randomly generated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.