No Password Complexity Requirements Enforced
Passwords do not need to follow strict complexity rules.
Plain language
This control means that when people are creating passwords, they don't have to make them complicated with a mix of letters, numbers, and symbols. If passwords are not strong enough, it becomes easier for hackers to guess them and gain access to confidential information, putting the whole organisation at risk.
Framework
ASD Information Security Manual (ISM)
Control effect
Responsive
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
Password complexity requirements are not imposed for passwords.
Why it matters
Without password complexity requirements, users may choose weak passwords, making brute-force and credential guessing easier and increasing unauthorised access risk.
Operational notes
Monitor for compromised credentials, enforce MFA, and use password screening against breached-password lists to reduce the impact of weak, user-chosen passwords.
Implementation tips
- System owners should review and understand the risks associated with simple passwords. They can do this by consulting with IT security experts to learn about common threats and how strong passwords can mitigate these risks.
- IT teams should create a user-friendly guide on password best practices. This can be done by outlining simple rules for creating strong passwords, such as using a passphrase that includes a mix of unrelated words.
- Managers should ensure that all staff are aware of password importance by organising a password workshop. This workshop should cover why strong passwords are necessary and demonstrate how to create them.
- Procurement officers should look for security tools that help enforce strong passwords. They can achieve this by searching for tools with features that remind users to update their passwords regularly.
- HR should incorporate password awareness into the onboarding process. This can include giving new staff easy-to-understand instructions and ensuring they understand the risks of weak passwords.
Audit / evidence tips
-
Askthe latest password policy document: Request the company's official guideline on how passwords should be created
Goodis a document detailing recommendations for strong passwords, even if complexity isn't enforced
-
Askto see training records related to password security: Request logs or records of any training sessions held for staff
Goodis documentation showing that staff were informed about how to create strong passwords
-
Askreports from any password management software: Request any reports generated by software that manages or monitors password usage
Goodis detailed reports indicating password update reminders sent to users
-
Askevidence of communication sent to staff about password guidelines: Request emails or memos circulated within the organisation
Goodis multiple records showing consistent, ongoing communication
-
Askto see IT infrastructure access logs: Request access logs from the IT department
Goodshows active monitoring and investigation of suspicious activities
Cross-framework mappings
How ISM-2080 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| sync_alt Partially overlaps (2) expand_less | ||
| Annex A 5.15 | ISM-2080 states that password complexity requirements are not imposed for passwords | |
| Annex A 5.17 | ISM-2080 specifies that organisations do not enforce password complexity requirements | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.