Minimum Password Length for Secure Systems
Passwords for secure systems should have at least 6 characters to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
19 Mar 2026
🎯 E8 maturity levels
N/A
Passwords used for multi-factor authentication on non-classified, OFFICIAL: Sensitive and PROTECTED systems are a minimum of 6 characters.
Source: ASD Information Security Manual (ISM)
Plain language
Having a password with at least 6 characters for systems that require additional security helps keep everything safe and private. If passwords are too short, they're easier for attackers to guess, which could lead to unauthorised access, putting sensitive information and overall business operations at risk.
Why it matters
If MFA passwords are shorter than 6 characters, brute-force guessing becomes easier, increasing the risk of unauthorised access to OFFICIAL: Sensitive/PROTECTED systems and potential data compromise.
Operational notes
Configure MFA to enforce a minimum 6-character password on OFFICIAL: Sensitive and PROTECTED systems; verify via regular configuration checks and authentication policy audits to ensure the setting remains enforced.
Implementation tips
- IT team should update system settings: Ensure all systems that need extra security are set to require passwords of at least 6 characters. This can be done by changing the password policy settings in your system's administration console.
- Office manager should communicate policy: Inform all staff about the importance of using passwords with at least 6 characters on secure systems. This could be done through an email or a brief meeting explaining why these lengths are important for security.
- HR should include in onboarding: Make it part of new employee training to set strong passwords for secure systems. During induction, provide a simple guide on creating longer passwords that are easy to remember but hard to guess.
- System owner should perform regular checks: Periodically review user accounts to ensure compliance with the password length requirement. Use system reports that show password length or request confirmation from IT.
- Executive management should set the example: Encourage leaders to model good password practices by discussing their approach to creating secure passwords and regularly updating them. This can motivate staff to take password security seriously.
Audit / evidence tips
-
Ask: the system password policy settings document: Request documentation that shows the password policy configuration in your systems
Good: The document shows a minimum password length of at least 6 characters
-
Ask: to see user account creation logs: Request logs that evidence when user accounts require a password setup
Good: Logs consistently show passwords of at least 6 characters at account creation
-
Ask: employee training records: Request records of staff training sessions that cover password policies
Good: Complete records showing recent training with high staff participation rates
-
Ask: evidence of security policy updates: Request any emails or memos that were sent to staff about updated password requirements
Good: Well-documented communication targeting all relevant staff
-
Ask: system compliance reports: Request a report that checks password policy compliance across all secure systems
Good: Reports show over 95% compliance, with a plan to rectify any failures
Cross-framework mappings
How ISM-1559 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 5.17 | ISM-1559 sets an explicit technical rule: passwords used for MFA on specified Australian Government security domains must be at least 6 c... | |
| Annex A 8.5 | ISM-1559 mandates a specific minimum password length (at least 6 characters) when passwords are used as part of multi-factor authenticati... | |