Protecting Stored Credentials with Security Measures
Store credentials securely using a password manager, hardware module, or by enhancing them with techniques before saving.
Plain language
Storing credentials safely is like locking away your most important keys and passwords so only you can access them. If this isn't done, your sensitive information like bank details or personal data could be at risk of being stolen, leading to potential financial loss or identity theft.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Credentials stored on systems are protected by a password manager; a hardware security module; or by salting, hashing and stretching them before storage within a database.
Why it matters
If credentials aren’t stored in a password manager, HSM, or salted/hashed/stretched in a database, attackers can recover passwords and gain unauthorised access.
Operational notes
Ensure stored credentials are only kept in an approved password manager or HSM; for databases, verify salting plus strong hashing and stretching parameters and review them periodically.
Implementation tips
- The IT team should implement a password manager to store credentials securely. They can do this by researching and selecting a reputable password manager and ensuring all staff are trained on how to use it effectively.
- System administrators should use a hardware security module to enhance the protection of stored credentials. This involves setting up the hardware module to work with your existing systems and ensuring it is configured to encrypt sensitive information.
- Managers should ensure that stored passwords and credentials are protected through techniques like salting and hashing before they go into a database. This means using software tools to transform the credentials so they are not stored in their original form.
- The IT department should stretch passwords in databases to make them stronger against attacks. They can accomplish this by applying algorithms that increase the time it takes for passwords to be cracked by unauthorized users.
- HR and IT should collaborate to periodically review and update the way credentials are stored to adapt to new security threats. They should schedule regular check-ins to audit credential storage practices and make improvements as needed.
Audit / evidence tips
- AskA demonstration of the password manager software in use: Check that all critical systems use the selected password manager and that staff are trained on it GoodWould be seeing a list of all active accounts with updated credentials securely stored within the manager
- GoodResult shows that all necessary systems integrate with the module, with logs indicating regular use
- GoodWould include detailed records of the implemented techniques and their effective use
- GoodWill include documentation on the applied methods and any testing results showing increased password resilience
- AskTo see evidence of regular credential storage reviews: Review meeting records to ensure they show any identified weaknesses and proposed improvements GoodIs a documented record of continuous improvements with assigned actions and completion dates
Cross-framework mappings
How ISM-1402 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | ISM-1402 requires organisations to protect stored credentials using password managers, HSMs, or secure hashing methods before storage | |
| link Related (1) expand_less | ||
| Annex A 8.24 | ISM-1402 requires secure protection of stored credentials, including the use of HSMs and cryptographic techniques such as salting, hashin... | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (2) expand_less | ||
| E8-RA-ML3.5 | ISM-1402 requires organisations to protect stored credentials using secure storage mechanisms (e.g., password managers, HSMs, or robust h... | |
| E8-RA-ML3.6 | ISM-1402 requires credentials stored on systems to be protected using mechanisms such as password managers, hardware security modules, or... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.