Set 30-Character Minimum for Key Administrator Passwords
Ensure key system accounts use passwords that are at least 30 characters long to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
Aug 2024
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts are a minimum of 30 characters.
Source: ASD Information Security Manual (ISM)
Plain language
This control is about making sure important system accounts have strong passwords that are at least 30 characters long. It's crucial because weak passwords can be easily guessed or cracked by attackers, which might allow them to access and control your systems, leading to data breaches or operational disruptions.
Why it matters
If Administrator, break-glass, local admin or service account passwords are under 30 characters, attackers can brute-force or spray credentials and gain full administrative control.
Operational notes
Enforce a 30+ character minimum for built-in Administrator, break-glass, local admin and service accounts; routinely audit and rotate them using a password manager.
Implementation tips
- The IT team should update the password policy to require a minimum of 30 characters for all key administrator accounts. They can do this by accessing the password settings in the system configuration tool and adjusting the minimum password length to 30 characters.
- System administrators should communicate the importance of using long and complex passphrases to all users with access to key accounts. This can be done through training sessions or email reminders explaining how to create memorable yet complex passwords that meet the length requirement.
- The IT team should implement a password management tool that enforces the 30-character rule. They can select and set up a tool that automatically checks password length and helps users generate strong passwords.
- Managers should schedule regular password audits to ensure compliance. They should meet with IT twice a year to review password policies and gather reports showing that passwords meet the length requirement.
- System owners should disable or modify default administrator accounts to require 30-character passwords. This involves checking all systems for default accounts and updating their password settings accordingly.
Audit / evidence tips
-
Ask: the password policy document: Request evidence of the current password policy that specifies the 30-character requirement
Good: would show a policy document last reviewed within the past year with clear mention of the minimum character length
-
Ask: a report from the password management tool: Request a report demonstrating compliance with the 30-character rule for all key accounts
Good: would indicate that all key accounts have passwords meeting or exceeding the 30-character length
-
Ask: to see training materials or communications regarding password complexity: Review emails or training session content sent to users with access to key accounts
Good: includes clear instructions tailored to non-technical staff
-
Ask: the audit schedule and results: Request records of past audits on password compliance
Good: includes recent audit dates with findings that indicate compliance or actions planned to address gaps
-
Ask: evidence of disabling or modifying default administrator accounts: Request a list of such accounts with current password policies
Good: would confirm these accounts have unique passwords meeting the 30-character requirement
Cross-framework mappings
How ISM-1795 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
E8
| Control | Notes | Details |
|---|---|---|
| Partially meets (1) | ||
| E8-RA-ML2.5 | ISM-1795 requires credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service account... | |