Change Default User Credentials During Setup
Change or remove default user accounts when setting up applications to enhance security.
🏛️ Framework
ASD Information Security Manual (ISM)
🧭 Control effect
Preventative
🔐 Classifications
NC, OS, P, S, TS
🗓️ ISM last updated
May 2025
✏️ Control Stack last updated
22 Feb 2026
🎯 E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
User application hardeningDefault user accounts or credentials for user applications, including for any pre-configured user accounts, are changed, disabled or removed during initial setup.
Source: ASD Information Security Manual (ISM)
Plain language
When setting up new software or systems, it's important to change or remove any user accounts or passwords that come pre-installed. Hackers often know these default accounts and can use them to break into your system, putting your information at risk. By changing them, you're adding an extra layer of security right from the start.
Why it matters
If default credentials remain unchanged, attackers can log in using publicly known vendor defaults, leading to unauthorised access and data breaches.
Operational notes
During commissioning, change or disable all vendor default accounts (including built-in and pre-configured users) and verify with periodic account audits and login tests.
Implementation tips
- System owners should ensure any new software or hardware is reviewed immediately after installation. Check for any user accounts that came with the system and document them. Work closely with IT specialists to change these account passwords or delete the accounts if they are not needed.
- IT teams should document a standard procedure for updating or removing pre-configured user accounts on all new systems. This procedure could be a checklist that is updated regularly and shared with all IT staff. Make sure this becomes a standard part of the setup process.
- Managers should support training for all relevant staff on the importance of changing default user credentials. Arrange a training session where IT explains the risks of leaving default accounts unchanged and demonstrates how to identify and modify these accounts.
- Procurement teams should liaise with vendors to understand any default credentials included with purchased systems. Request documentation from vendors that lists all default accounts so that these can be identified and managed during installation.
- Audit and compliance officers should conduct regular checks to ensure that default account settings have been changed. Develop a schedule where systems are randomly checked for compliance and maintain records of these audits for tracking purposes.
Audit / evidence tips
-
Ask: the setup procedure document: Request to see the checklist or written procedure that includes steps for changing default credentials during setup
Good: is a clearly detailed procedure that includes changing or removing default user accounts
-
Ask: documentation of user account changes during recent system setups: Request logs or records showing user account setups and modifications
-
Good: is a complete list that shows a match between new systems and changes in default account settings
-
Ask: evidence of training sessions: Request a record of training sessions provided to staff about managing default user credentials
Good: sign is regular training with widespread attendance among relevant personnel
-
Ask: vendor-provided documentation: Request any documentation vendors provided with new systems concerning default accounts
Cross-framework mappings
How ISM-1806 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| Partially meets (2) | ||
| Annex A 8.9 | ISM-1806 requires default user accounts and credentials in user applications to be changed, disabled, or removed during initial setup | |
| Annex A 8.26 | ISM-1806 requires default user accounts or credentials for user applications to be changed, disabled or removed during initial setup | |