Ensure Strong Passwords for SECRET System Authentication
Passwords for SECRET systems using multi-factor authentication must be at least 8 characters.
Plain language
This control ensures that when logging into important systems, passwords used must be at least eight characters long, even if you're using a second method to verify your identity, like a text message code. This matters because strong passwords are a first line of defense against unauthorised access. If passwords are weak, cyber criminals can easily break into systems and steal sensitive information, causing operational downtime and damage to your reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
S
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords used for multi-factor authentication on SECRET systems are a minimum of 8 characters.
Why it matters
If MFA passwords on SECRET systems are under 8 characters, they are easier to guess or crack, increasing account compromise and SECRET information exposure risk.
Operational notes
Configure authentication to reject MFA passwords under 8 characters on SECRET systems, and routinely test/monitor for accounts that bypass the minimum length.
Implementation tips
- System owners should ensure all users create strong passwords for systems that manage sensitive data. Encourage users by providing examples of phrases turned into passwords with at least eight characters.
- The IT team should configure systems to automatically reject passwords that do not meet the eight-character minimum requirement. This can be done by setting password policies in the system's security settings.
- Managers should conduct regular training sessions, educating staff on the importance of password strength and how to create memorable yet secure passwords. Use role-playing exercises to demonstrate the risks of weak passwords.
- HR should make it a policy to remind new employees during onboarding about the organisation's password requirements. Include a checklist or tip sheet in the welcome pack.
- IT leads should regularly review recent password policies to ensure they are applied consistently across all systems. Use system logs to verify compliance and correct any deviations promptly.
Audit / evidence tips
-
Asksystem configuration settings: Request access to the system's password policy settings in the administration console
Goodis a screenshot showing the enforced eight-character minimum
-
Goodincludes sections dedicated to password length guidelines
-
Asktraining session materials: Request slides or videos from recent training sessions about password policies
Goodhighlights the eight-character requirement
-
Goodincludes regular reminders with security tips
-
Askthe onboarding pack materials: Verify that these materials cover the password policy, including the length requirement
Goodhas a section dedicated to this, complete with examples and tips
Cross-framework mappings
How ISM-1560 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-1560 sets a concrete authentication-strength requirement by mandating a minimum password length (8 characters) when passwords are use... | |
| handshake Supports (1) expand_less | ||
| Annex A 5.17 | ISM-1560 requires passwords used for MFA on SECRET systems to be at least 8 characters, establishing a baseline for authentication inform... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-MF-ML1.7 | ISM-1560 requires that passwords used as part of multi-factor authentication (MFA) on SECRET systems are at least 8 characters long | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.