Ensure User Passwords Expire and Are Required
Ensure user accounts have passwords that expire and are always required.
Plain language
This control ensures that passwords for user accounts expire and are required, preventing people from keeping the same password forever or having no password at all. Without it, accounts could be vulnerable to unauthorised access, risking data breaches or operational disruptions.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
18 June 2026
E8 maturity levels
N/A
Section
Server Application HardeningOfficial control statement
User accounts are not configured with password never expires or password not required.
Why it matters
Without enforcing password expiry, accounts can be easily compromised, leading to unauthorised access, data loss, or costly security breaches.
Operational notes
Regularly check and update password policies to align with best practices, such as those from the Australian Cyber Security Centre (ACSC).
Implementation tips
- The IT team should configure the user management system to enforce password expiry. This involves setting up automatic prompts for users to update their passwords after a specific period, such as every 90 days.
- Managers should communicate with staff about the importance of changing passwords regularly and not using easily guessed ones. This can be done through company memos or short training sessions.
- System administrators should adjust settings in the server applications to ensure all accounts require a password by default. They'll need to check the account configuration options in the system settings.
- IT support should provide a helpdesk service to assist with password resets and issues. They can set up a straightforward procedure for when users need help, such as a dedicated phone line or email support.
- HR should collaborate with IT to ensure that new employees set a strong password upon account creation. This can be achieved by including password creation steps in the onboarding process.
Audit / evidence tips
- Aska report from the User Management System showing password expiry settings Look atthe expiry policies in place Goodshows configured expiry intervals and enforcement on all user accounts
- Look atattendance records or emails Goodincludes dated materials explaining password requirements and who received them
- Asksystem configuration documentation on password requirements Look atsystem settings descriptions Goodincludes screenshots or reports confirming mandatory password enforcement
- Look atrecorded interactions and resolutions Goodshows timely and effective handling of password reset requests
- Askonboarding materials covering password creation policies Look attraining materials or guides provided to new hires Goodfeatures detailed steps for creating secure passwords for new employees
Cross-framework mappings
How ISM-1837 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1837 requires user accounts to be configured so that passwords are required and do not use the 'password never expires' setting | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.