Enforce Random Credentials for Administrator Accounts
Ensure admin and service account passwords are randomly generated to improve security.
Plain language
This control means that passwords for important accounts, like administrators who manage your computer systems, should be randomly generated instead of being chosen by people. This is important because if someone guesses or steals a simple password, they could take control of your systems and data, causing financial and operational problems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningOfficial control statement
Credentials for built-in Administrator accounts, break glass accounts, local administrator accounts and service accounts are randomly generated.
Why it matters
If administrator, break glass, local admin and service account passwords are not randomly generated, attackers can guess/reuse them to gain privileged access and cause data breaches.
Operational notes
Use a password vault/LAPS to randomly generate and rotate credentials for built-in Administrator, break glass, local admin and service accounts; audit for reuse and enforce rotation.
Implementation tips
- The IT team should use a password management tool to generate passwords for all administrator accounts. This tool can create complex passwords that are hard to guess and manage these securely for the team.
- Business owners should ensure that admin and service account passwords are changed regularly using a random generator. This involves setting up a schedule to automatically change these passwords every few months.
- Employees responsible for IT should implement policies requiring random password generation for service accounts. This can be done by configuring your systems and software to only allow passwords generated by a password manager.
- System administrators should educate users about the importance of random passwords through a training session. This session can include a demonstration of password generation tools and the risks of weak passwords.
- The security manager should review and update the organisation's password policy to include random password generation as a requirement. This involves documenting the process and ensuring access to necessary tools for all relevant staff.
Audit / evidence tips
-
Askthe list of current passwords for admin accounts: Request evidence of recent password changes
Goodpasswords shown as auto-generated with the tool's name and change date
-
Askthe password policy document: Ask if it states the requirement for passwords to be randomly generated
Goodpolicy text explaining random generation is mandatory and tools used
-
Asktraining session records: Request documents or presentations used to educate staff about random password policies
Goodmaterials include why random passwords matter and show attendance records
-
Asklogs of password changes in systems: Request IT system logs that show when and how passwords were updated
Goodlogs show regular changes and indicate automated or random generation
-
Aska review or audit report of passwords: Request any recent assessments of password security practices
Goodreport shows regular assessments and compliance with randomisation
Cross-framework mappings
How ISM-1954 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
E8
| Control | Notes | Details |
|---|---|---|
| link Related (1) expand_less | ||
| E8-RA-ML2.5 | ISM-1954 requires credentials for built-in Administrator, break glass, local administrator and service accounts to be randomly generated | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.