Require Minimum 15-Character Passwords for Security
Passwords for sensitive systems must have at least 15 characters to enhance security.
Plain language
This control requires that all passwords used to access sensitive systems must be at least 15 characters long. It's important because longer passwords are harder for attackers to guess or break, making it much harder for them to gain unauthorized access to your important systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords used for single-factor authentication on non-classified, OFFICIAL: Sensitive and PROTECTED systems are a minimum of 15 characters.
Why it matters
Using passwords under 15 characters makes brute-force and guessing attacks more feasible, increasing the likelihood of unauthorised access and compromise of OFFICIAL: Sensitive or PROTECTED data.
Operational notes
Set systems to enforce a minimum 15-character password for single-factor logons, brief staff on creating long memorable passphrases, and promote password managers to reduce reuse and weak choices.
Implementation tips
- System owners should review and update password policies to enforce a minimum length of 15 characters. They can do this by adjusting the settings in their user management or authentication systems to require passwords of this length.
- IT teams should educate staff about the importance of strong passwords. They can conduct short workshops or send out instructional emails explaining how to create a memorable yet secure 15-character password using phrases or a combination of unrelated words.
- Managers should ensure that any software or applications used by the organisation are configured to support and enforce 15-character passwords. This involves checking application settings and making necessary adjustments or coordinating with software vendors for support.
- HR and administrative staff should include password length policies in onboarding materials for new hires. This can be done by adding these guidelines to employee handbooks and ensuring new employees receive a briefing during their initial training.
- Procurement teams should liaise with IT when purchasing new systems to ensure they are capable of enforcing the 15-character password policy. This means verifying that vendors can meet this requirement before finalising any purchase agreements.
Audit / evidence tips
-
Askthe organisation's password policy document. Look to see if it specifies a minimum password length of 15 characters for sensitive systems
Goodshows clear mention of this requirement and the systems it applies to
-
Goodoutcome shows the system settings clearly enforcing the rule with examples of recent changes
-
Goodis staff consistently stating awareness of the rule and following it using secure practices
-
Goodsign is training materials directly addressing this requirement with practical examples
-
Goodlog will show enforcement actions preventing short passwords
Cross-framework mappings
How ISM-0421 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | ISM-0421 requires that passwords used for single-factor authentication on specified Australian Government system classifications are at l... | |
| Annex A 8.5 | ISM-0421 mandates a minimum 15-character password length for single-factor authentication on non-classified, OFFICIAL: Sensitive and PROT... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.