Randomly Generate User Account Credentials
User account passwords must be created randomly to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Feb 2022
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningCredentials set for user accounts are randomly generated.
Source: ASD Information Security Manual (ISM)
Plain language
Randomly generating passwords for user accounts makes it much harder for attackers to guess or crack them. If your passwords are predictable, cybercriminals can easily access your systems, potentially leading to data theft, financial loss, and damage to your reputation.
Why it matters
Without randomly generated user credentials, attackers can guess or crack predictable patterns, enabling account compromise and unauthorised access to sensitive data.
Operational notes
Use an approved credential generator to create high-entropy initial passwords for all new accounts, block manual setting, and log/alert on any non-random credentials.
Implementation tips
- System administrator should use a password manager tool to generate passwords: Choose a reliable password manager that can create passwords using different characters and lengths. Ensure it is configured to use at least 12 characters, including letters, numbers, and symbols.
- IT team should implement a policy for password generation: Develop a clear policy for how passwords are to be created and maintained. Communicate this policy to all staff and make sure it is easily accessible.
- Office manager should ensure employees use the password manager: Brief staff on the importance of secure passwords and how to use the password manager. Provide a short training session and written instructions on accessing and using the tool.
- IT security officer should regularly audit password creation: Set up a schedule to review how passwords are being generated and stored. Check that all processes align with organisational policies and provide feedback if deviations are identified.
- Executive management should support strong password practices: Encourage a culture of security by reinforcing the importance of password policies in meetings and communications. Share success stories and challenges to keep security front-of-mind.
Audit / evidence tips
-
Ask: the password policy documentation: Request a copy of the current policy on password generation and management
Good: is a clear, detailed policy outlining the use of random generation tools and complexity requirements
-
Ask: to see a demonstration of the password manager tool: Request IT to show how new passwords are created using the tool
Good: outcome is witnessing a tool that consistently creates strong, unpredictable passwords
-
Ask: evidence of user training sessions related to password tools: Review records of any sessions conducted to train employees on password security
Good: result is a documented proof of regular, comprehensive training sessions
-
Ask: to review the schedule for password audits: Request the timeline showing regular audits of the password practices
Good: should show consistent audits that report adherence or issues with resolution steps
-
Ask: feedback or survey results from staff about password practices: Review feedback to understand how the use of the new password manager is perceived by staff
Cross-framework mappings
How ISM-1227 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Supports (1) | ||
| E8-RA-ML2.5 | ISM-1227 requires credentials set for user accounts to be randomly generated to improve password unpredictability | |