Ensure Password Length is at Least 64 Characters
Passwords must allow a maximum length of at least 64 characters for increased security.
Plain language
This control means that you should allow users to create passwords that are up to 64 characters long. It’s important because longer passwords can significantly increase security by making it harder for hackers to guess or crack them, protecting sensitive information and data from being stolen.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Maximum length limits for passwords are not less than 64 characters.
Why it matters
If systems cap passwords below 64 characters, users must choose shorter secrets, reducing entropy and making brute-force and credential-stuffing attacks more likely to succeed.
Operational notes
Confirm all authentication components (apps, IdPs, directories, gateways) allow at least 64-character passwords, and periodically test enforcement after upgrades or configuration changes.
Implementation tips
- The IT team should review the current password policy. They need to ensure that the system settings allow for passwords up to 64 characters in length. This might involve adjusting what is called the 'maximum password length setting' in your systems.
- Managers should communicate the new password policy to all staff. They should explain the benefits of using longer passwords and provide examples of how to create memorable but lengthy passwords to encourage adoption.
- The HR team should update onboarding materials. New employees should be informed of the password requirements during their initial training to ensure they understand the importance and method of creating secure passwords.
- System administrators should test the system to confirm that there are no technical issues with longer passwords. This involves creating test accounts and trying to set passwords of varying lengths to ensure the system handles them correctly.
- The security officer should schedule routine checks. These checks are to ensure that the maximum password length setting remains in place and to address any compliance issues promptly.
Audit / evidence tips
-
Askthe password policy document: Request the documented policy that outlines password requirements for users
GoodThe document states clearly that passwords can be up to 64 characters long
-
Aska demonstration of password settings: Request that a system administrator shows you the settings in the system
GoodThe screen displays a setting that allows passwords up to 64 characters
-
Askemployee training records: Request proof that staff have been informed about the new password policy
GoodRecords showing that training sessions included discussion of the 64-character password policy
-
Asksystem logs: Request logs showing recent password changes
GoodLogs show users setting passwords that are long, indicating they have the ability to set longer passwords
-
Asksystem documentation: Request any technical documentation that supports system configurations
GoodDocumentation clearly mentions that the system allows for passwords up to 64 characters
Cross-framework mappings
How ISM-2079 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (1) expand_less | ||
| Annex A 5.17 | Annex A 5.17 requires a management process to control authentication information, including communicating appropriate handling requiremen... | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.