Ensure Strong Passwords for SECRET Systems
Passwords for SECRET systems must be at least 17 characters long to enhance security.
Plain language
This control means that any time you're logging into a system classified as SECRET, your password needs to be at least 17 characters long. This is important because longer passwords help protect sensitive information from being accessed by unauthorised people, reducing the risk of data breaches or leaks that could have serious consequences for your organisation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords used for single-factor authentication on SECRET systems are a minimum of 17 characters.
Why it matters
Inadequate password length on SECRET systems increases susceptibility to brute-force guessing, enabling unauthorised access to SECRET data and broader compromise of classified operations.
Operational notes
Enforce a minimum 17-character password policy for all single-factor SECRET system accounts; use password managers to generate unique passwords and verify compliance via periodic audits.
Implementation tips
- Information Technology (IT) team should update password policies for SECRET systems to require at least 17 characters. They can do this by accessing the system's settings and adjusting the password length requirements, then communicating these changes to all users.
- System owners need to educate employees about creating strong, memorable, 17-character passwords. This can be done by conducting a short training session or sending out guidance that suggests using a mix of phrases and numbers for easy recollection.
- The IT team should implement systems that will automatically check and enforce password length when users create or change their passwords. This involves configuring the system’s authentication settings to prevent passwords that don’t meet the criteria.
- Managers should regularly remind their teams to change passwords to ensure they remain secure. Setting calendar reminders or including this message in team meetings can be effective ways to reinforce good password habits.
- Human Resources (HR) should include password requirements and tips in the onboarding package for new employees. This can be done by updating the employee handbook or induction materials to include guidelines on creating strong passwords.
Audit / evidence tips
-
Askthe written password policy document: Request to see the section that mandates 17-character passwords for SECRET systems
GoodA current policy document detailing the password length requirements, dated within the last year
-
Asksystem settings configuration: Request a demonstration of how systems enforce the 17-character password rule
GoodThe system shows an active restriction that prevents setting passwords less than 17 characters
-
Asktraining records
GoodTraining records indicate regular sessions or updates, including content on password requirements
-
AskIT system change logs: Request logs that show recent changes to password policies on SECRET systems
GoodLogs confirm policy change with a timestamp and details on the 17-character requirement
-
Askonboarding documents: Request recent onboarding packets provided to new employees
GoodOnboarding materials include a section on password length requirements and creation tips
Cross-framework mappings
How ISM-1557 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires organisations to manage authentication information via controlled processes and provide guidance on secure handling | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.