Prevent Reversible Encryption of User Passwords
User account passwords must not be stored in a way that allows them to be easily decrypted.
Plain language
This control is about making sure that user passwords are stored in a way that they can't be easily deciphered, which means avoiding methods where passwords can be undone into plain text. This matters because if passwords are stored insecurely, someone who gains access to them can easily use or misuse user accounts, leading to data breaches, financial loss, or damage to the organisation's reputation.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User account passwords do not use reversible encryption.
Why it matters
If passwords are stored with reversible encryption, a breach could expose passwords and enable credential reuse and account takeover across systems.
Operational notes
Regularly confirm password storage uses strong one-way hashing (e.g., bcrypt/Argon2) with unique salts, and audit systems to ensure no reversible encryption is enabled.
Implementation tips
- IT team should configure the password storage settings: Ensure all passwords in systems, especially in Active Directory, are stored using one-way hashing methods that cannot be reversed back to the original password. Use secure, recommended algorithms like bcrypt or Argon2 to safeguard user passwords.
- System owner should review policies: Establish and document clear policies on how passwords are stored, ensuring there is no option for reversible encryption. Work with IT experts to update these policies regularly to match latest security practices and educate staff on these protocols.
- IT security specialist should perform regular audits: Conduct frequent checks of system settings to confirm that reversible encryption of passwords is not enabled. Use tools to scan for configurations that might allow password reversal and fix them immediately.
- Managers should train staff: Arrange for regular training sessions to ensure all staff understand the company's password security policies and why reversible encryption is not secure. Highlight the potential risks of insecure password practices.
- Procurement should verify security standards: When acquiring new software or systems, ensure they comply with security standards that prevent reversible encryption of passwords. Work closely with vendors to confirm systems are configured correctly out-of-the-box.
Audit / evidence tips
- AskThe password policy document: Request a copy of the organisation's password management policy GoodWill specify the use of strong, one-way encryption methods and explicitly state the prohibition of reversible encryption
- AskConfiguration screenshots: Request screenshots from the configuration settings in Active Directory or equivalent systems showing password settings GoodIncludes clear indicators like tick boxes unchecked for reversible encryption options
- AskAudit logs: Request logs indicating checks or audits of password storage settings GoodWould show regular audits with any issues found and addressed quickly
- AskTraining records: Request records of staff training sessions on password security GoodIncludes regular training with a specific focus on password storage risks and best practices
- AskSoftware vetting documents: Request documents related to the vetting process when acquiring new systems GoodWould show thorough evaluations against security benchmarks like the Essential Eight
Cross-framework mappings
How ISM-1840 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-1840 requires that user account passwords are not stored using reversible encryption | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.