Ensure Strong Passwords for TOP SECRET Systems
TOP SECRET systems must use passwords of at least 10 characters for added security.
Plain language
Ensuring strong passwords on TOP SECRET systems is crucial because it makes it much harder for outsiders to guess or crack them. If someone guesses a password, they could access sensitive information and potentially cause serious harm to your organisation. This control requires that passwords in use for multi-factor authentication (where more than just a password is needed to log in) are at least 10 characters long, adding an important layer of security.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.
Why it matters
Weak passwords for TOP SECRET MFA could enable unauthorised access, exposing highly sensitive data and potentially jeopardising national security operations.
Operational notes
Audit TOP SECRET MFA password length to ensure a 10+ character minimum; enforce policy and technical controls, and remediate any non-compliant accounts.
Implementation tips
- The IT team should set up all accounts related to TOP SECRET systems to require passwords of at least 10 characters. They can do this by configuring the system settings to enforce this rule when new passwords are created or old ones are changed.
- System owners need to ensure that their users understand the importance of strong passwords. They can organise short training sessions to demonstrate how to create passwords that are both long and easy to remember, using phrases or a mix of words and numbers.
- Managers should regularly remind staff to avoid common passwords or words related to their personal life. They can send out monthly reminders through emails or meetings, giving examples of strong passwords and explaining the risks of weak ones.
- The cyber security team should implement checks to automatically monitor and alert if any known weak passwords are used on the system. This can be done using security software that flags insecure passwords for further review.
- Human Resources should include password best practices and the 10-character requirement in the employee onboarding process. New staff should sign a document acknowledging they understand and will follow these practices.
Audit / evidence tips
-
Askthe system configuration settings: Request a screenshot or printout of the authentication settings that show the password requirements
GoodIt clearly states 'min. 10 characters' for systems handling TOP SECRET data
-
Askthe training schedule or material: Request documentation or a calendar showing when employees receive training about password security
GoodShows training was conducted before system access was provided and regularly updated
-
Asklogs or reports from the security software that flags weak passwords
GoodShows consistent monitoring activity and actions taken on any alerts
-
Askan onboarding checklist: Request to see the document that HR uses to onboard new staff
GoodNew employee files have signed checklists acknowledging password rules
-
Askcopies of recent emails or meeting notes that mention the password length requirement
GoodShows consistent communication with acknowledgment from recipients
Cross-framework mappings
How ISM-1561 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1561 requires that passwords used as part of multi-factor authentication on TOP SECRET systems are at least 10 characters long | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.