Ensure Strong Passwords for TOP SECRET Systems
TOP SECRET systems must use passwords of at least 10 characters for added security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
TS
🗓️ ISM last updated
Nov 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Passwords used for multi-factor authentication on TOP SECRET systems are a minimum of 10 characters.
Source: ASD Information Security Manual (ISM)
Plain language
Ensuring strong passwords on TOP SECRET systems is crucial because it makes it much harder for outsiders to guess or crack them. If someone guesses a password, they could access sensitive information and potentially cause serious harm to your organisation. This control requires that passwords in use for multi-factor authentication (where more than just a password is needed to log in) are at least 10 characters long, adding an important layer of security.
Why it matters
Weak passwords for TOP SECRET MFA could enable unauthorised access, exposing highly sensitive data and potentially jeopardising national security operations.
Operational notes
Audit TOP SECRET MFA password length to ensure a 10+ character minimum; enforce policy and technical controls, and remediate any non-compliant accounts.
Implementation tips
- The IT team should set up all accounts related to TOP SECRET systems to require passwords of at least 10 characters. They can do this by configuring the system settings to enforce this rule when new passwords are created or old ones are changed.
- System owners need to ensure that their users understand the importance of strong passwords. They can organise short training sessions to demonstrate how to create passwords that are both long and easy to remember, using phrases or a mix of words and numbers.
- Managers should regularly remind staff to avoid common passwords or words related to their personal life. They can send out monthly reminders through emails or meetings, giving examples of strong passwords and explaining the risks of weak ones.
- The cyber security team should implement checks to automatically monitor and alert if any known weak passwords are used on the system. This can be done using security software that flags insecure passwords for further review.
- Human Resources should include password best practices and the 10-character requirement in the employee onboarding process. New staff should sign a document acknowledging they understand and will follow these practices.
Audit / evidence tips
-
Ask: the system configuration settings: Request a screenshot or printout of the authentication settings that show the password requirements
Good: It clearly states 'min. 10 characters' for systems handling TOP SECRET data
-
Ask: the training schedule or material: Request documentation or a calendar showing when employees receive training about password security
Good: Shows training was conducted before system access was provided and regularly updated
-
Ask: logs or reports from the security software that flags weak passwords
Good: Shows consistent monitoring activity and actions taken on any alerts
-
Ask: an onboarding checklist: Request to see the document that HR uses to onboard new staff
Good: New employee files have signed checklists acknowledging password rules
-
Ask: copies of recent emails or meeting notes that mention the password length requirement
Good: Shows consistent communication with acknowledgment from recipients
Cross-framework mappings
How ISM-1561 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| Annex A 5.17 | ISM-1561 requires that passwords used as part of multi-factor authentication on TOP SECRET systems are at least 10 characters long | |