Topic

Protecting credentials

Applicable to

all

History

Priority

must not

Dec 2022

Credentials are kept separate from systems they are used to authenticate to, except for when performing authentication activities.

The existing control relating to storing physical credentials separately from systems that they are used to authenticate to was reworded to remove confusing ‘physical credential’ language and clarify that ‘devices that store or generate credentials’ can still be connected to systems when performing authentication activities.

Mar 2022

Physical credentials are stored separately from systems to which they grant access.

Due to perceptions that this recommendation prevented the use of password managers and hardware security modules, it was amended to refer to physical credentials being stored with systems.

Oct 2019

Credentials are stored separately from systems to which they grant access.

Security control 0418 was modified slightly.

Sep 2019

Authentication information is stored separately from a system to which it grants access.

2017

Authentication information must be stored separately from a system to which it grants access.

Control Text Changed. No public explaination.

2015

Authentication information must be stored separately to a system to which it grants access.

2010

Agencies must not allow storage of unprotected authentication information that grants system access ordecrypts an encrypted device, to be located on, or with, the system or device to which the authenticationinformation grants access.

2008

Agencies must not allow storage of unprotected authentication information that grants system access, or decrypts an encrypted device, to be located on, or with the system or device, to which the authentication information grants access.