Routine password expiry, complicated composition rules and password-manager choice generate the strongest operator concern. Shared credentials, service accounts and insecure storage receive less public attention but create some of the most consequential control failures.
What is a password policy, and does my business actually need one?
A password policy sets the rules for creating, storing, using, sharing, resetting and retiring passwords, passphrases and other memorised credentials. It should apply to employees, contractors, administrators, service accounts, emergency accounts and any third party given business credentials. There is no single Australian law requiring every private business to use a document with this exact title, but credentials are central to APP 11 security, access control, contractual assurance and the Essential Eight MFA and administrative-privilege strategies. The password policy should therefore sit beneath the access-control policy and explain how its authentication requirements are implemented.
- business with employees, contractors or outsourced IT — Cover every human and non-human credential, including vendor, service, integration, local administrator and emergency accounts.
- APP entity covered by the Privacy Act — Credential controls form part of the reasonable technical and organisational measures used to protect personal information under APP 11.
- Essential Eight or ISM-aligned organisation — Map the policy to the applicable ISM credential controls and the organisation's target Essential Eight maturity level.
Every credential used to access the organisation’s systems, applications, devices, networks, information or data must be unique, appropriately strong, protected from unauthorised disclosure and used only by the person or service to which it was assigned. Credentials must be created, issued, stored, reset, transmitted and retired through approved processes and must be changed immediately when a defined compromise event occurs.
What must it contain — the non-negotiable sections?
State who and what the policy covers, then define minimum length, prohibited passwords, uniqueness, reuse, MFA and approved password-manager requirements. Include credential creation and reset, identity verification, secure issue and transmission, first-use changes, compromised-credential checks, storage, sharing, service accounts, privileged accounts, emergency access and exceptions. Name the policy owner and the people authorised to reset or recover credentials. The policy should also require technical enforcement and evidence, because a written rule that systems do not enforce is not a functioning control.
- cloud and SaaS-heavy business — Include cloud administrators, API secrets, integration credentials, recovery codes and vendor portals, not only corporate network passwords.
- business with legacy systems — Document systems that cannot support the standard, apply compensating controls and assign each exception an owner and expiry date.
- business using a managed password vault — Define vault ownership, administrator roles, sharing controls, recovery, MFA, audit logs, offboarding and emergency access.
This policy governs password and passphrase length, prohibited and compromised credentials, uniqueness and reuse, multi-factor authentication, approved password managers, credential generation and reset, identity verification, secure delivery and storage, privileged and service accounts, shared and emergency accounts, recovery methods, monitoring, exceptions and credential changes following compromise. Technical settings must enforce these requirements wherever the system supports them.
Length vs complexity — what actually makes a strong passphrase?
For a memorable passphrase, ACSC's public guidance recommends four or more unrelated random words totalling at least 15 characters. Length, unpredictability and uniqueness matter more than predictable substitutions such as changing an a to @ or adding 1! to the end. The current ISM goes further by saying password complexity requirements should not be imposed, commonly used or compromised passwords must be blocked, and systems should support passwords of at least 64 characters. Its formal minimum for non-classified single-factor authentication is 15 characters, while a password used as one factor in MFA may have a lower ISM minimum; a business may still choose a consistent 15-character policy for usability and simplicity.
- single-factor authentication — For non-classified, OFFICIAL: Sensitive and PROTECTED systems, the current ISM minimum is 15 characters.
- password used as part of MFA — The current ISM permits a lower formal minimum for specified classifications because the password is only one authentication factor, although organisations may adopt a stronger uniform minimum.
- system supporting generated passwords and a password manager — Use a long random generated credential rather than requiring the user to memorise four words.
A memorised passphrase must be at least 15 characters long and consist of four or more unrelated random words. It must be unique to the account and must not contain a known or compromised password, personal information, a predictable sentence, song lyric, quotation, keyboard pattern or obvious substitution. Systems must not impose arbitrary uppercase, lowercase, number and symbol composition rules unless a legacy system requires them and an approved exception records the reason.
Should we force 90-day password changes? (and when must credentials change)
Do not impose a blanket 90-day change rule on ordinary user credentials merely because it appears in an old template. The current ISM says credentials generally should not need routine changes and instead requires user credentials to change after compromise, suspected compromise, clear-text storage or transmission, or a change in membership of a shared account. A contractual, legacy-system or sector requirement may still impose expiry, and automated machine or service credentials can have separate lifecycle rules. ACSC's 2025 consumer password-manager page still recommends changing important passwords and the master password regularly, which is broader than the current ISM; for a business policy, the more specific current ISM event-driven approach is the clearer baseline unless another requirement applies.
- ordinary user credentials under the current ISM — Use compromise and exposure events rather than an arbitrary 90-day reset schedule.
- contract, regulator or legacy platform requires expiry — Comply with the binding requirement while documenting its source, scope and any usability or security risks.
- computer, service, token-signing or other machine credentials — Apply the credential-specific automated rotation or maximum-age rule rather than the user-password rule.
Ordinary user credentials will not be changed on an arbitrary 90-day schedule unless a documented law, contract, system limitation or approved risk requirement applies. A credential must be changed immediately if it is compromised, suspected of compromise, found in a breach or compromised-password source, stored or transmitted in clear text, disclosed to an unauthorised person, or affected by a change in membership of a shared account. Relevant sessions, tokens and recovery methods must also be revoked or reset.
Password managers and reuse — what should the rules be?
Every account should have a unique credential, which is impractical at business scale without an approved password manager or passwordless authentication. Use an organisation-approved manager that supports encryption, MFA, updates, breach alerts, controlled sharing, audit logs and secure recovery. Protect the vault with a unique, strong master passphrase and phishing-resistant MFA where available, and never store that master credential in the same vault or an unsecured note. Shared business secrets should be shared through controlled vault permissions rather than copied into email, chat, tickets or spreadsheets.
- small business without a current password manager — Select one approved product, migrate high-value accounts first and remove passwords from browsers, documents and informal shared lists.
- team sharing supplier or platform credentials — Use named vault access, audit logs and revocation rather than revealing the underlying password where the product supports it.
- high-value or privileged vault — Require phishing-resistant MFA, separate recovery material, restricted administrators and tested emergency access.
Credentials must not be reused across different systems or accounts. Business credentials must be stored in the organisation’s approved password manager or another approved protected credential store and must not be kept in email, chat, tickets, documents, spreadsheets, browser notes or unprotected device applications. The password-manager vault must be protected by a unique strong passphrase and multi-factor authentication. Shared access must use named vault permissions wherever technically possible.
How does MFA change the password rules?
MFA is a stronger additional control, not permission to reuse, share or expose a password. The current ISM distinguishes between a password used alone and one used as part of MFA, allowing a lower formal minimum for the latter on specified system classifications because another factor is also required. Essential Eight maturity requirements determine where MFA must be applied, with phishing-resistant methods required for relevant online services and systems at higher maturity levels. Prefer passkeys, FIDO2 security keys, certificates or equivalent phishing-resistant methods; ACSC describes SMS and voice-based methods as weaker.
- Essential Eight Maturity Level One — Apply MFA to the online and customer services specified by the maturity model, particularly those processing sensitive data.
- Essential Eight Maturity Level Two or Three — Extend MFA to the specified privileged and unprivileged system users and meet the applicable phishing-resistance requirements.
- service supports passkeys or passwordless authentication — Use the stronger passwordless or phishing-resistant method and retain recovery controls rather than forcing a password where it is unnecessary.
Multi-factor authentication must be enabled for every system and service designated by the Access Control Policy or the organisation’s Essential Eight target. Phishing-resistant MFA must be used where supported and required by risk or framework obligations. MFA does not permit password sharing, reuse or insecure storage. Where a service supports an approved passkey or passwordless method, that method may replace a password subject to approved recovery and device-security controls.
Service accounts, shared accounts and admin credentials
Human users should have named accounts so actions remain attributable; shared credentials should be exceptional, approved and controlled. Administrators should use separate privileged accounts and store privileged credentials in an approved vault rather than sharing one generic administrator password. The current ISM requires built-in administrator, break-glass, local administrator and service-account credentials to be long, unique, unpredictable, managed, randomly generated and at least 30 characters. Where possible, use managed service identities or group Managed Service Accounts so credential generation and rotation are automated rather than dependent on a person remembering a hidden password.
- small business using a shared supplier or platform login — Record the owner, authorised users and business need, store it in a controlled vault and change it whenever membership changes.
- Windows service account — Use a group Managed Service Account where supported instead of a manually maintained password.
- privileged or break-glass account — Use a long random vaulted credential, strong MFA where supported, restricted access, monitoring and a tested emergency-use process.
Shared human credentials are prohibited unless technically unavoidable and expressly approved. Every approved shared account must have an owner, authorised-user register, purpose, review date and protected vault record, and its credential must change whenever authorised membership changes. Built-in administrator, break-glass, local administrator and service-account credentials must be unique, unpredictable, randomly generated, managed and at least 30 characters long. Managed service identities must be used where supported.
How does it relate to the access-control policy and Essential Eight?
The access-control policy decides who may access each system, what level of access they receive and how that access is approved, reviewed and removed. The password policy supplies the detailed rules for one authentication method used to verify those identities. Password management is not a separate Essential Eight strategy, but it supports the Essential Eight MFA and restriction-of-administrative-privileges strategies. An organisation should not claim an Essential Eight maturity level merely because it has strong passphrases or MFA on selected accounts; the applicable requirements across all eight strategies must be assessed at the same target level.
- organisation implementing the Essential Eight — Map password and vault controls to MFA and privileged-access implementation, while assessing all eight strategies at the selected maturity level.
- business with a formal access-control policy — Use the same account types, approvers, privileged-account definitions, offboarding events and exception process in both policies.
- business without formal framework adoption — Use ACSC and ISM guidance as a risk-based Australian baseline without representing that the business is certified or formally compliant.
This policy implements the credential requirements of the Access Control Policy and supports the organisation’s Essential Eight multi-factor authentication and restriction of administrative privileges strategies. The Access Control Policy determines who receives access and at what level; this policy determines how password-based credentials are created, protected, reset and retired. The organisation must not claim an Essential Eight maturity level based on password controls or partial MFA deployment alone.
The common gaps and red flags?
Common red flags are short passwords dressed up with complexity, mandatory 90-day resets, predictable increments, password reuse and passwords stored in spreadsheets, tickets, scripts, source code or unprotected notes. Also look for generic administrator accounts, unowned service credentials, shared passwords that never change, reset processes that do not verify identity and temporary passwords sent through insecure channels. A password manager without MFA, recovery governance or offboarding can concentrate risk rather than control it. The policy should also block common and breached passwords and require systems to support long credentials rather than truncating them.
- business migrating from informal password sharing — Inventory credentials, move them into an approved vault, identify owners and replace shared human logins with named accounts where possible.
- legacy system with short maximum passwords — Record the system as an exception, add MFA or isolation where possible and plan replacement rather than presenting the weak setting as compliant.
- software developer or system operator — Scan repositories, scripts, configuration files, tickets, documents and file shares for embedded or clear-text secrets.
Credentials must not be stored or transmitted in clear text, embedded in source code or scripts, placed in tickets, email, chat, documents or spreadsheets, or written where they are exposed. Systems must block commonly used and known compromised passwords and must support long credentials. Password resets must verify the requester’s identity. Every credential must have an identifiable owner, and exceptions must record the risk, compensating controls, approver and expiry date.
What's my next step?
Common misconceptions
- Every ordinary user password must be changed every 90 days, even when it is unique and there is no evidence of compromise. VERIFIED
- ACSC requires every password to contain uppercase letters, lowercase letters, numbers and symbols. VERIFIED
- A short complex password is necessarily stronger than a longer passphrase made from unrelated random words. INFERRED
- Using MFA makes it acceptable to reuse, disclose or insecurely store the password. INFERRED
- Any MFA method is as resistant to phishing as a passkey or FIDO2 security key. VERIFIED
- A password manager removes all credential risk and does not need MFA, recovery controls or secure administration. VERIFIED
- A shared administrator password is acceptable if every person who knows it is trusted. INFERRED
- Service-account passwords can follow the same memorised-passphrase rules as an ordinary employee account. VERIFIED
- Changing Password1 to Password2 at the next expiry meaningfully creates a new unpredictable credential. INFERRED
- Strong passwords or MFA on selected accounts are enough to claim an Essential Eight maturity level. VERIFIED
Obligations at a glance
The obligations most relevant to this guide, with the regulator, the trigger and the timeframe. Follow the source links in the appendix for the authoritative wording.
| OBLIGATION | REGULATOR | TRIGGER | TIMEFRAME | PENALTY |
|---|---|---|---|---|
| APP 11 security of personal information | Office of the Australian Information Commissioner | An APP entity holds personal information protected by the Privacy Act 1988. | Ongoing while the personal information is held. | |
| ISM single-factor password strength | Australian Signals Directorate, Australian Cyber Security Centre | An ISM-aligned organisation uses password-based single-factor authentication on a non-classified, OFFICIAL: Sensitive or PROTECTED system. | At credential creation and whenever the credential is reset or changed. | |
| ISM compromise-driven user credential change | Australian Signals Directorate, Australian Cyber Security Centre | An ISM-aligned organisation determines that a user credential is compromised, suspected of compromise, stored or transmitted in clear text, or affected by changed shared-account membership. | When the triggering condition is identified. | |
| ISM credential non-reuse | Australian Signals Directorate, Australian Cyber Security Centre | An ISM-aligned organisation issues or permits user credentials for different systems. | At credential creation and use. | |
| ISM administrator and service-account credential strength | Australian Signals Directorate, Australian Cyber Security Centre | An ISM-aligned organisation uses built-in administrator, break-glass, local administrator or service accounts. | At creation and throughout the credential lifecycle. | |
| ISM protected credential storage | Australian Signals Directorate, Australian Cyber Security Centre | An ISM-aligned organisation stores credentials on a system or within a database. | Ongoing while the credentials are stored. | |
| Essential Eight multi-factor authentication | Australian Signals Directorate, Australian Cyber Security Centre | An organisation adopts the Essential Eight or is required to meet it by government policy, a regulator or a contract. | According to the selected maturity level and the systems, services and repositories within scope. |
Sources
- Creating strong passphrases primary
- Passphrases primary
- Password managers primary
- Guidelines for system hardening primary
- Implementing multi-factor authentication primary
- Essential Eight maturity model primary
- Guidelines for personnel security primary
- Practical cyber security tips for business leaders primary
- Cyber security checklist primary
- Chapter 11: APP 11 Security of personal information primary
- Guide to securing personal information primary
- Is everything security-related, by and large, harassment? forum
- Worst password policy? forum
- Password manager recommendation forum
- Preventing the auto-logout of CRMs / Websites forum
- Coworker Gave Girlfriend his Teams Password forum
This guide and its templates are a professionally drafted starting point, not legal advice. Your obligations depend on your industry, your contracts and your data. Have a qualified adviser review anything high stakes before you rely on it.