Avoid Reusing Credentials Across Systems
Users should not use the same passwords on different systems for better security.
Plain language
This control is about not using the same password for different accounts or systems. It's important because if someone gets access to one password, they could break into all your accounts and do serious harm, like stealing money or sensitive information.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials are not reused by users across different systems.
Why it matters
Reusing passwords increases the risk of credential stuffing, potentially causing financial loss or compromise of sensitive data across multiple systems.
Operational notes
Require unique passwords per system and promote password managers to generate/store strong credentials; block known-breached passwords to reduce reuse.
Implementation tips
- Office managers should arrange for a password management tool that can help employees create and store unique passwords for different accounts. This can be done by researching options online and choosing a tool that balances price with the features your organisation needs.
- HR should conduct a training session for employees to explain the risks of reusing passwords and how to use the new password management tool. This session can be organised during a regular team meeting and recorded for those who cannot attend.
- IT staff should guide employees on setting up the password manager on their devices, ensuring it's configured to generate strong passwords automatically. This can be done via one-on-one desk visits or a virtual session using a video call platform.
- Department heads should periodically remind their teams not to reuse passwords by sending out a monthly newsletter or email with security tips. Include stories or examples of recent breaches caused by password reuse to highlight the risks.
- Every manager should encourage the use of multi-factor authentication (MFA) wherever possible, explaining this adds an additional layer of protection. This might involve turning on features in the systems used by the team or providing step-by-step guides on setting up MFA on their accounts.
Audit / evidence tips
-
Aska list of systems and applications used: Verify if unique passwords are enforced across different systems
GoodA policy document highlighting unique password requirements for each system
-
Asktraining records on password management: Check that all staff have completed training on this topic
GoodComprehensive attendance logs or recordings from training sessions
-
GoodReports showing compliance with unique password creation
-
Askdocumentation of security reminders sent out: Verify the frequency and content related to password reuse warnings
GoodConsistent reminders with tips and examples, distributed on a regular basis
-
GoodDocumentation showing an increasing number of accounts secured by MFA, minimising risks from password reuse
Cross-framework mappings
How ISM-1596 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1596 requires that users do not reuse credentials across different systems to reduce the impact of credential compromise | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.