Limit Cached Credentials to Single Logon
Users' credentials are stored only for their last login to enhance security.
Plain language
This control means that when you log into your work computer or system, it will only remember details from your last login. This is important because if a hacker gains access to your computer, they'll only find your most recent login details, reducing the chance they can get into other systems or services with older credentials.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2022
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Cached credentials are limited to one previous logon.
Why it matters
Failure to limit cached credentials risks unauthorised access using older logins, exposing sensitive data and escalating potential breaches.
Operational notes
Set Windows 'CachedLogonsCount' to 1 via policy and audit the setting regularly to detect configuration drift.
Implementation tips
- System administrators should adjust settings on all company computers and systems so they only keep the last login details. They can do this by accessing the system's security settings and setting the cached logons to one.
- The IT team should document the process for limiting cached logins as a policy. This involves writing a clear step-by-step guide that outlines how to set these configurations on each type of device the organisation uses.
- Business managers should schedule regular training sessions on security protocols. These sessions will explain why login limits are crucial and how employees can protect their credentials better.
- Procurement should ensure that any new hardware or software purchased supports the ability to limit cached credentials. When evaluating new purchases, they should check technical specifications or ask vendors directly about this feature.
- IT personnel should regularly review and update all devices to ensure they continue to comply with this requirement by running routine checks and updating system settings as needed.
Audit / evidence tips
-
Askthe security configuration documentation: Request a copy of the policy that describes how cached logins are limited to one
Gooda well-documented policy with clear instructions on implementing this control
-
Askto see system settings: Have the IT team demonstrate the configuration on a sample computer
Goodthe system clearly shows the setting is enabled and active
-
Aska list of all systems and devices: Request an inventory showing which systems have this control applied
Gooda comprehensive list where control implementation is marked and matched against settings
-
Askrecords of implementation training sessions: Check if training on limiting cached credentials has been conducted
Goodevidence of regular, completed sessions with participant lists
-
Askto review vendor specifications for new hardware/software: Verify that new purchases support limiting cached logons
Goodconfirmation from vendors or system data sheets outlining this capability
Cross-framework mappings
How ISM-1749 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (3) expand_less | ||
| E8-RA-ML3.5 | ISM-1749 requires cached credentials on systems to be limited to one previous logon to reduce the value of cached secrets if a device is ... | |
| E8-RA-ML3.6 | ISM-1749 requires cached credentials on endpoints to be limited to one previous logon, reducing stored credential material available afte... | |
| E8-RA-ML3.7 | ISM-1749 requires cached credentials to be limited to a single previous logon, primarily reducing offline/endpoint credential reuse after... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.