Ensure Initial User Credentials Are Changed
Users must change their initial passwords the first time they log in to enhance security.
Plain language
When someone gets a new user account, they are given initial login details. It’s crucial for security to change this initial password the first time they log in. If users don't update their password, it could be easy for someone else to guess it, potentially allowing them unauthorized access to the system and sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials provided to users are changed on first use.
Why it matters
Failure to change initial passwords increases the risk of unauthorised access, potentially leading to data breaches and system compromise.
Operational notes
Configure IAM/AD to force a password change at first sign-in and block shared/default credentials; monitor new accounts to confirm the change occurs promptly.
Implementation tips
- System administrators should create initial passwords that are easy for users to remember but difficult for outsiders to guess. This can be done by using a simple temporary password that only the user knows, such as a combination of their user ID and a date-specific element.
- IT support staff should inform new users about the importance of changing their initial password immediately. This can be achieved through an onboarding email or a training session that explains security best practices and the risks of using default passwords.
- The IT team should configure the system to force users to reset their password upon their first login. This can be done by setting up an automatic prompt that requires the user to create a new password before they can access other system functions.
- Managers should regularly remind their teams about password hygiene and changing initial passwords. This could be part of ongoing security training sessions or monthly staff meetings, where good password practices are reinforced.
- HR personnel should coordinate with the IT department to ensure that information about password change policies is included in the job offer package sent to new employees. This prepares them to take immediate action on their first day.
Audit / evidence tips
-
Askthe procedure or policy document that outlines the process for initial password change
Goodwill include the specific steps and timeframe for users to change their initial password
-
Goodwill show evidence that this information is consistently and clearly communicated
-
Askaudit logs or system reports showing the number of accounts that have changed passwords after first use
Goodwill show that nearly all or all accounts have completed a password change soon after first use
-
Goodwould show a system setting or option that is enabled and functioning correctly
-
Aska sample of user feedback or IT support tickets related to initial password changes
Goodwill show that any issues are addressed promptly and users understand their password responsibilities
Cross-framework mappings
How ISM-1595 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1595 requires users to change initial credentials on first use so that shared, vendor-issued, or administrator-set passwords do not r... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.