Set 30-Character Minimum for Key Administrator Passwords
Ensure key system accounts use passwords that are at least 30 characters long to enhance security.
Plain language
This control is about making sure important system accounts have strong passwords that are at least 30 characters long. It's crucial because weak passwords can be easily guessed or cracked by attackers, which might allow them to access and control your systems, leading to data breaches or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts are a minimum of 30 characters.
Why it matters
If Administrator, break-glass, local admin or service account passwords are under 30 characters, attackers can brute-force or spray credentials and gain full administrative control.
Operational notes
Enforce a 30+ character minimum for built-in Administrator, break-glass, local admin and service accounts; routinely audit and rotate them using a password manager.
Implementation tips
- The IT team should update the password policy to require a minimum of 30 characters for all key administrator accounts. They can do this by accessing the password settings in the system configuration tool and adjusting the minimum password length to 30 characters.
- System administrators should communicate the importance of using long and complex passphrases to all users with access to key accounts. This can be done through training sessions or email reminders explaining how to create memorable yet complex passwords that meet the length requirement.
- The IT team should implement a password management tool that enforces the 30-character rule. They can select and set up a tool that automatically checks password length and helps users generate strong passwords.
- Managers should schedule regular password audits to ensure compliance. They should meet with IT twice a year to review password policies and gather reports showing that passwords meet the length requirement.
- System owners should disable or modify default administrator accounts to require 30-character passwords. This involves checking all systems for default accounts and updating their password settings accordingly.
Audit / evidence tips
-
Askthe password policy document: Request evidence of the current password policy that specifies the 30-character requirement
Goodwould show a policy document last reviewed within the past year with clear mention of the minimum character length
-
Aska report from the password management tool: Request a report demonstrating compliance with the 30-character rule for all key accounts
Goodwould indicate that all key accounts have passwords meeting or exceeding the 30-character length
-
Askto see training materials or communications regarding password complexity: Review emails or training session content sent to users with access to key accounts
Goodincludes clear instructions tailored to non-technical staff
-
Askthe audit schedule and results: Request records of past audits on password compliance
Goodincludes recent audit dates with findings that indicate compliance or actions planned to address gaps
-
Askevidence of disabling or modifying default administrator accounts: Request a list of such accounts with current password policies
Goodwould confirm these accounts have unique passwords meeting the 30-character requirement
Cross-framework mappings
How ISM-1795 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1795 requires credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service account... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.