Prevent Default Credentials in Software Installations
Ensure software does not come with default passwords; new credentials are set during installation.
Plain language
Setting up software with default passwords is risky because hackers can easily guess or find these common passwords online, just like a skeleton key that opens many doors. To stay secure, it’s crucial to create unique passwords for each new software installation, preventing unauthorised access and potential data breaches.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
May 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for software developmentOfficial control statement
Software has no default credentials; however, if credentials are required, they are created on first install by the installing organisation.
Why it matters
Default credentials let attackers guess or reuse logins to gain unauthorised access, leading to data compromise and service disruption.
Operational notes
On first install, create unique admin credentials (no vendor defaults), store them in a password manager, and verify all default accounts are removed/disabled.
Implementation tips
- The IT team should create installation guidelines: Develop a step-by-step guide that ensures software installations do not use default passwords. Include instructions on generating strong, unique passwords during setup.
- System managers should oversee installations: Ensure software installations are monitored to confirm new passwords are set. Host an installation session with a checklist to verify all steps are followed.
- Procurement officers should communicate with vendors: When buying software, ask vendors if their software includes default credentials. Choose software that requires new credentials to be set during the first installation.
- The IT security team should train staff: Conduct training sessions to educate employees on the importance of setting secure passwords during installations. Include practical exercises on creating strong passwords.
- Administrators should implement password management tools: Use password managers to securely generate and store passwords. Ensure all software credentials are stored safely and only accessible to authorised personnel.
Audit / evidence tips
- AskThe installation checklist: Request documentation that outlines each step followed during software installation GoodIs a completed checklist signed by an IT staff member
- AskSoftware procurement records: Request records that show communication with vendors about default credential policies GoodIncludes emails or written statements from the vendor
- AskTo see training session records: Review attendance sheets and training materials used to educate staff on secure installations GoodIs training logs showing attendance and feedback
- AskA sample password report: Request a review of password strength used in recent installations GoodIs a report confirming compliance with internal policies
- AskA demonstration of the password manager in use: Observe how passwords are generated and stored within the tool GoodIs a demonstration showing efficiency and security features
Cross-framework mappings
How ISM-2044 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.17 | ISM-2044 requires software installations to avoid default credentials and to create credentials on first install by the installing organi... | |
| handshake Supports (1) expand_less | ||
| Annex A 8.19 | Annex A 8.19 requires procedures and measures to securely manage software installation on operational systems | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.