Ensure Secure Construction of Passwords
Passwords must not use predictable sequences, like quotes or sentences, and must meet minimum word count rules for security levels.
Plain language
This control is about creating strong passwords by avoiding predictable patterns. Think of how easy it would be for someone to guess a password if you used movie quotes or a famous song lyric. If your password is too predictable, someone could gain access and cause harm, such as stealing sensitive information or causing operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords using a sequence of words for single-factor authentication are not constructed using: - a list of categorised words - a real sentence in a natural language - song lyrics, movie or television show quotes, literature, or any other publicly available material - less than 4 random words for non-classified, OFFICIAL: Sensitive and PROTECTED systems; 5 random words for SECRET systems; or 6 random words for TOP SECRET systems.
Why it matters
Weak passphrases (e.g., quotes, predictable word lists or too few words) are easier to guess, enabling unauthorised access and data compromise.
Operational notes
Use 4–6 truly random words per classification; avoid quotes, lyrics, real sentences, categorised word lists, and predictable word order.
Implementation tips
- IT managers should develop a password policy that specifies the use of random words rather than predictable sequences. Use examples to illustrate combinations of random words and explain why they are more secure.
- Office managers should train staff on how to choose passwords that follow these guidelines. Conduct workshops or information sessions demonstrating the creation of passwords using four or more random words.
- HR should include password creation techniques in new employee onboarding materials. Provide a checklist or guide that outlines the rules for crafting secure passwords.
- System owners should review current password practices and update password requirements to meet the new standards. Ensure all systems enforce these rules through technical settings.
- IT staff should implement tools that check password submissions against a list of disallowed patterns, such as famous quotes or song lyrics. Automate rejection of passwords that do not meet the complexity criteria.
Audit / evidence tips
-
Askthe organisation's password policy document
Goodincludes clear guidelines on constructing passwords using random words and avoiding predictable sequences
-
Askevidence of staff training sessions on password security
Goodshows regular training sessions and materials that emphasize avoiding predictable patterns in passwords
-
Goodwould be seeing systems in place that flag and prevent the use of simplistic passwords
-
Aska list of password management tools in use
Goodincludes tools that automatically enforce the minimum word count and randomness requirements
-
Goodshows clear instructions that align with this control to prevent the use of predictable sequences in passwords
Cross-framework mappings
How ISM-1558 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (2) expand_less | ||
| Annex A 5.17 | ISM-1558 requires passwords (as authentication information) to be securely constructed, explicitly prohibiting predictable word sequences... | |
| Annex A 8.5 | ISM-1558 requires secure construction of passwords for single-factor authentication, including bans on predictable phrases and minimum ra... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.