Ensuring Strong Passwords for TOP SECRET Systems
Passwords on TOP SECRET systems should be at least 20 characters to ensure strong security.
Plain language
This control means that passwords for systems holding highly sensitive information need to be at least 20 characters long. It’s important because a weak password could let someone unauthorized into your system, potentially leading to stolen information, financial losses, or harm to your reputation if sensitive data leaks.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords used for single-factor authentication on TOP SECRET systems are a minimum of 20 characters.
Why it matters
Weak single-factor passwords on TOP SECRET systems increase the likelihood of credential guessing and unauthorised access, risking compromise of highly classified information and national security.
Operational notes
Enforce a minimum 20-character password policy for TOP SECRET single-factor accounts; regularly audit compliance, prevent reuse, and alert on repeated failed logons indicating password guessing.
Implementation tips
- IT team should create a password policy: Draft a company-wide policy that mandates all passwords on top-secret systems are at least 20 characters. Include guidance on creating these passwords, such as using a mix of letters, numbers, and symbols.
- System owner should implement password checks: Ensure the systems require passwords to be a minimum of 20 characters by adjusting settings in your system's configuration. This could involve working with IT to enable this security measure.
- Managers should train employees: Organise training sessions to teach staff how to create strong, memorable passwords. This training should include examples and tools, like password managers, to help employees comply with the policy.
- Board or executive team should ensure oversight: Regularly review password policies and conduct risk assessments to ensure compliance. This involves checking if systems and staff adhere to the prescribed 20-character rule.
- HR or compliance officer should monitor adherence: Implement a procedure to check password compliance regularly. This might include random audits or automated monitoring to ensure all parts of the organisation abide by the 20-character requirement.
Audit / evidence tips
-
Askthe password policy document: Request the official document that outlines the password requirements for top-secret systems
-
Aska demonstration of how systems enforce the 20-character password minimum. Check the settings against the policy requirements. Good evidence should show a configuration that cannot accept passwords shorter than 20 characters
-
Goodis a description of monitoring tools or checks in place to enforce the policy
-
Askmonitoring and audit logs: Request evidence of ongoing compliance checks
Cross-framework mappings
How ISM-0422 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-0422 requires passwords used for single-factor authentication on TOP SECRET systems to be at least 20 characters | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.