Ensure Strong Passwords for SECRET System Authentication
Passwords for SECRET systems using multi-factor authentication must be at least 8 characters.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
S
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Passwords used for multi-factor authentication on SECRET systems are a minimum of 8 characters.
Source: ASD Information Security Manual (ISM)
Plain language
This control ensures that when logging into important systems, passwords used must be at least eight characters long, even if you're using a second method to verify your identity, like a text message code. This matters because strong passwords are a first line of defense against unauthorised access. If passwords are weak, cyber criminals can easily break into systems and steal sensitive information, causing operational downtime and damage to your reputation.
Why it matters
If MFA passwords on SECRET systems are under 8 characters, they are easier to guess or crack, increasing account compromise and SECRET information exposure risk.
Operational notes
Configure authentication to reject MFA passwords under 8 characters on SECRET systems, and routinely test/monitor for accounts that bypass the minimum length.
Implementation tips
- System owners should ensure all users create strong passwords for systems that manage sensitive data. Encourage users by providing examples of phrases turned into passwords with at least eight characters.
- The IT team should configure systems to automatically reject passwords that do not meet the eight-character minimum requirement. This can be done by setting password policies in the system's security settings.
- Managers should conduct regular training sessions, educating staff on the importance of password strength and how to create memorable yet secure passwords. Use role-playing exercises to demonstrate the risks of weak passwords.
- HR should make it a policy to remind new employees during onboarding about the organisation's password requirements. Include a checklist or tip sheet in the welcome pack.
- IT leads should regularly review recent password policies to ensure they are applied consistently across all systems. Use system logs to verify compliance and correct any deviations promptly.
Audit / evidence tips
-
Ask: system configuration settings: Request access to the system's password policy settings in the administration console
Good: is a screenshot showing the enforced eight-character minimum
-
Good: includes sections dedicated to password length guidelines
-
Ask: training session materials: Request slides or videos from recent training sessions about password policies
Good: highlights the eight-character requirement
-
Good: includes regular reminders with security tips
-
Ask: the onboarding pack materials: Verify that these materials cover the password policy, including the length requirement
Good: has a section dedicated to this, complete with examples and tips
Cross-framework mappings
How ISM-1560 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 8.5 | ISM-1560 sets a concrete authentication-strength requirement by mandating a minimum password length (8 characters) when passwords are use... | |
| Supports (1) | ||
| Annex A 5.17 | ISM-1560 requires passwords used for MFA on SECRET systems to be at least 8 characters, establishing a baseline for authentication inform... | |
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| E8-MF-ML1.7 | ISM-1560 requires that passwords used as part of multi-factor authentication (MFA) on SECRET systems are at least 8 characters long | |