Ensure Passwords Are Not Common or Compromised
Make sure passwords aren't from known compromised or common password lists to enhance security.
Plain language
When we talk about ensuring passwords aren't from known compromised or common lists, it's like making sure you aren't using the same old rusty key everyone else has. If you use a weak or already stolen password, it's much easier for someone to break in and steal your information or mess with your systems.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Passwords appearing in lists of commonly used passwords or lists of compromised passwords are not used.
Why it matters
Using common or compromised passwords invites unauthorised access, increasing the risk of data breaches and reputational damage.
Operational notes
Block passwords found in common/compromised lists by checking proposed passwords against breach datasets (e.g. Have I Been Pwned) and refresh the lists routinely.
Implementation tips
- IT team should implement password management tools: Use software that checks if passwords are on lists of known compromised or commonly used passwords. This involves integrating with online services that maintain these lists, to automatically flag or prevent unsafe passwords.
- System administrators should set up password policies: Develop and enforce rules that require employees to create complex passwords. This can be done through settings in your systems that demand a mix of letters, numbers, and special characters.
- HR should educate staff on password importance: Organise regular training sessions to explain why secure passwords matter and how to create them. Use examples of breaches caused by weak passwords to make it relatable.
- IT support should perform regular audits of user passwords: Conduct checks to ensure passwords haven't been compromised by using tools that compare them to known databases of breached passwords. Schedule audits at regular intervals and report findings.
- Management should ensure usage of multi-factor authentication: Require all staff to not only use passwords but also verify their identity through another method, such as a code sent to their phone. This adds an extra layer of security even if a password gets compromised.
Audit / evidence tips
-
Askthe password policy document: Check that it describes requirements against using common or compromised passwords
Goodincludes explicit statements about checking passwords against known breach lists and updating these lists regularly
-
Askto see reports from password audit tools
Goodincludes dated records showing audits performed regularly with documented follow-ups on any issues found
-
Goodshows recent training dates and attendee lists, indicating regular educational efforts
-
Asklogs showing attempted password changes: Check if the system is automatically flagging or blocking weak passwords
Goodprovides logs where attempts to use weak or compromised passwords are promptly rejected
-
Gooddemonstrates integration with existing login systems and shows records of successful multifactor verification
Cross-framework mappings
How ISM-2078 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires controlled management of authentication information and user guidance on appropriate handling of passwords and simi... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.