Strengthening Passwords for Critical Accounts
Ensure passwords for high-risk accounts are strong, unique, and properly managed.
Plain language
This control is about ensuring that important accounts, which have powerful access to your systems, have strong, unique passwords that are kept safe. It's important because if these accounts are compromised, your entire organisation could be at risk of data theft, financial loss, or operational downtime.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
ML2, ML3
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredictable and managed.
Why it matters
Weak or reused passwords for break glass, local admin and service accounts enable easy compromise, leading to unauthorised privileged access, breaches and major financial/reputational damage.
Operational notes
For break glass, local admin and service accounts, enforce long unique passwords, store in an approved vault, rotate routinely and on staff changes, and restrict/monitor access.
Implementation tips
- IT manager: Ensure all critical accounts like admin and service accounts have a password policy requiring long and unique passwords. Use a password manager to generate and store passwords securely, avoiding predictable sequences.
- System administrator: Regularly review and update passwords for high-risk accounts, setting reminders for when passwords need to change. This can be done by setting expiration alerts within your password management tool.
- Business owner: Educate staff on the importance of password security for critical accounts by organising a short seminar or training session. Provide examples of potential risks and the impact of weak passwords.
- Security officer: Monitor accounts for unusual activities that may indicate compromise. Set up notifications for failed login attempts or sudden changes in account behaviour.
- IT support team: Implement two-factor authentication (2FA) for all high-risk accounts to add an extra layer of security. Provide a simple guide to help users set up 2FA on their devices.
Audit / evidence tips
-
Askthe password policy document: Review the policy to ensure it specifies requirements for length, complexity, uniqueness, and change frequency for critical accounts
Gooda detailed policy document that specifies requirements and is regularly updated
-
Aska demonstration of the password vault
-
Aska training report on password security
-
Askmonitoring and alert logs: Examine logs for records of potential security breaches or attempts. Good logs would show prompt investigation and response to unusual activities
-
Askrecords of 2FA implementation: Verify that all high-risk accounts have 2FA enabled by checking account settings or authorization logs. Good evidence would show majority coverage of 2FA across all critical accounts
Cross-framework mappings
How ISM-1685 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires a managed process for allocating and controlling authentication information and advising personnel on secure handling | |
| handshake Supports (1) expand_less | ||
| Annex A 8.2 | ISM-1685 requires that critical account credentials (break glass, local administrator and service accounts) are long, unique, unpredictab... | |
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1685 requires that credentials for break glass accounts, local administrator accounts and service accounts are long, unique, unpredic... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.