Randomly Generate User Account Credentials
User account passwords must be created randomly to enhance security.
Plain language
Randomly generating passwords for user accounts makes it much harder for attackers to guess or crack them. If your passwords are predictable, cybercriminals can easily access your systems, potentially leading to data theft, financial loss, and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials set for user accounts are randomly generated.
Why it matters
Without randomly generated user credentials, attackers can guess or crack predictable patterns, enabling account compromise and unauthorised access to sensitive data.
Operational notes
Use an approved credential generator to create high-entropy initial passwords for all new accounts, block manual setting, and log/alert on any non-random credentials.
Implementation tips
- System administrator should use a password manager tool to generate passwords: Choose a reliable password manager that can create passwords using different characters and lengths. Ensure it is configured to use at least 12 characters, including letters, numbers, and symbols.
- IT team should implement a policy for password generation: Develop a clear policy for how passwords are to be created and maintained. Communicate this policy to all staff and make sure it is easily accessible.
- Office manager should ensure employees use the password manager: Brief staff on the importance of secure passwords and how to use the password manager. Provide a short training session and written instructions on accessing and using the tool.
- IT security officer should regularly audit password creation: Set up a schedule to review how passwords are being generated and stored. Check that all processes align with organisational policies and provide feedback if deviations are identified.
- Executive management should support strong password practices: Encourage a culture of security by reinforcing the importance of password policies in meetings and communications. Share success stories and challenges to keep security front-of-mind.
Audit / evidence tips
-
Askthe password policy documentation: Request a copy of the current policy on password generation and management
Goodis a clear, detailed policy outlining the use of random generation tools and complexity requirements
-
Askto see a demonstration of the password manager tool: Request IT to show how new passwords are created using the tool
Goodoutcome is witnessing a tool that consistently creates strong, unpredictable passwords
-
Askevidence of user training sessions related to password tools: Review records of any sessions conducted to train employees on password security
Goodresult is a documented proof of regular, comprehensive training sessions
-
Askto review the schedule for password audits: Request the timeline showing regular audits of the password practices
Goodshould show consistent audits that report adherence or issues with resolution steps
-
Askfeedback or survey results from staff about password practices: Review feedback to understand how the use of the new password manager is perceived by staff
Cross-framework mappings
How ISM-1227 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1227 requires credentials set for user accounts to be randomly generated to improve password unpredictability | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.