Avoid Using Credential Hints in Systems
Systems should not use hints to reveal or guess passwords.
Plain language
You should avoid using hints that help people remember passwords because they can make it easier for bad actors to guess them. If someone figures out your password, they could access your organisation's sensitive information and cause harm, such as stealing data or disrupting operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Authentication hardeningTopic
Protecting CredentialsOfficial control statement
Credential hint functionality is not used for systems.
Why it matters
Credential hints increase the likelihood of unauthorised access by simplifying password guessing, risking data breaches and financial loss.
Operational notes
Regularly review authentication systems to ensure they're free from hint mechanisms that could aid attackers in guessing credentials.
Implementation tips
- System owners should review all login processes to identify where credential hints are used. List any instances where hints might display or send a clue about passwords to users. This helps ensure that no password hints are made available.
- IT teams should modify software and systems to disable password hint features. Check each system’s settings or configurations and switch off any options that provide hints. This will ensure that no hints are accidentally shown to users.
- Managers should educate staff on the importance of using strong, unique passwords without relying on hints. Organise training sessions explaining the risks of weak passwords and the benefit of using a password manager instead.
- Human Resources should update any employee handbooks or guidelines to include policies against using credential hints. Clearly document why hints aren’t used and describe the procedures to follow if help with credentials is needed.
- System administrators should implement measures to support users in resetting forgotten passwords easily and securely without needing hints. Ensure there is a clear password reset process, such as using email verification or mobile authentication, to confirm the user's identity before allowing a password change.
Audit / evidence tips
-
Asksystem configuration logs: Request documentation or screenshots showing the system settings related to password management
Goodshows clear evidence that credential hints are disabled across all systems
-
Asktraining records: Request materials and attendance logs from staff training sessions about password security
Goodincludes dated training materials and a list of attendees
-
Askpolicy updates: Request the latest employee handbook or IT policy documents
Goodshows these policies are up to date and communicated to all staff
-
Askevidence of a password reset process: Request the documentation or walkthrough of the current password reset process for users
Goodis a detailed description showing how users can reset passwords securely
-
Aska demonstration: Request a live or recorded demonstration of the login and password reset process
Goodshows the process step-by-step with explanations of each phase
Cross-framework mappings
How ISM-1980 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
No cross-framework mappings recorded yet.