Enforce Use of All ASCII Characters in Passwords
Allow any printable character to be used in passwords for increased complexity.
Plain language
Allowing all printable characters for passwords means you can use anything you can type on your keyboard, like symbols and punctuation, not just letters and numbers. This matters because a password with a mix of characters is much harder for hackers to guess, which keeps your accounts safer.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Nov 2025
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Official control statement
All ASCII printable characters are supported for passwords.
Why it matters
If passwords can’t use all ASCII printable characters, users are forced into predictable patterns and reduced entropy, increasing susceptibility to guessing and brute-force attacks.
Operational notes
Test authentication and directory systems accept all ASCII printable characters end-to-end (including reset flows), and document any disallowed characters or escaping issues.
Implementation tips
- System owners should update password policies to include all ASCII characters as allowed choices. They can do this by working with the IT team to configure the system settings where passwords are created, so that any printable character can be used.
- IT teams should educate staff on the importance of using diverse characters in passwords. They can hold short training sessions showing how to use symbols, numbers, and letters creatively to make passwords stronger.
- Managers should ensure that new staff are briefed on strong password creation as part of onboarding. This can be done by integrating a password creation guide into the onboarding checklist that explains how to choose a strong password using a mix of characters.
- IT security leads should run periodic checks on systems to ensure they're accepting all ASCII characters in passwords. This involves testing the password system by attempting to set passwords with a variety of symbols, numbers, and letters.
- HR should update all company policies and training materials to reflect the change in password requirements. They can do this by reviewing current documents and inserting clear instructions and examples of acceptable passwords that use a mix of character types.
Audit / evidence tips
- AskThe updated password policy document: Request the manual or digital file that outlines password rules GoodIs a policy that lists examples of symbols and explains why these enhance security
- AskSystem configuration reports from the IT team: Request a report or screen capture showing the settings for password management systems GoodShows a settings page that visibly enables these options
- AskHR for staff training records and materials: Request documents used in recent password training sessions GoodIs detailed training materials with examples showing diverse character use
- AskTo see examples of system logs regarding password changes: Request logs that show recent password creations or changes GoodIs logs demonstrating the use of symbols and numbers alongside letters
- AskAn IT audit report focusing on password security: Request an internal or external audit document that evaluates password security practices GoodGives clear verification that systems allow a full range of characters
Cross-framework mappings
How ISM-2081 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 8.5 | ISM-2081 requires systems to accept all ASCII printable characters in passwords to avoid reducing entropy through unnecessary constraints | |
E8
| Control | Notes | Details |
|---|---|---|
| handshake Supports (1) expand_less | ||
| E8-RA-ML2.5 | ISM-2081 requires that all ASCII printable characters are supported for passwords, enabling stronger and more flexible password construction | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.