Password rules are changing for University staff and Postgraduate Research students.

As part of our ongoing commitment to achieving Cyber Essentials Accreditation, we now turn our attention to network passwords.

In order to comply with Cyber essentials, we need to strengthen our password policy. Our current security settings require a minimum of six characters and staff must change their password once a year. It is not possible to use your previous two passwords when changing.

In future, your password is going to have to be longer but you will only have to change it once, as we will no longer force a password change every year. The rules are due to change on 23rd April 2019 and you will then have a year to comply. After 23 April 2020, you will never be prompted to change your password unless you have compromised your account.

New Password rules:

  • The password length will increase from a minimum of 6 characters to a minimum of 12 characters.
  • Annual password change will no longer be required (after 23 April 2020)
  • Passwords will be changed by each user on the existing anniversary of your last password change over the course of the year.
  • All users will need to provide a personal recovery email address – This will be the new mechanism for password recovery (We will only use this address to send password recovery emails) – Staff – If you have not provided a personal email address you can do this by logging on to the portal and then clicking on ‘Set personal email address’ in the ‘My staff life’ section. Postgraduate Research students – If you have not provided a personal email address you can do this by logging on to the portal and then clicking on ‘Set secondary email address (for account recovery)’ in the ‘I want to’ section.

Your responsibilities as a University network user:

  • Set a strong password – see advice below
  • Keep your password secret.
  • Use your University password only for your University account.
  • Inform Information Services if you think that your password may have been compromised.
  • Change your password if required to do so by Information Services.
  • If required to change your password, do not reuse any previously used passwords.

Advice on how to set a long password that you’ll remember

The following guidance is offered to assist users in setting a password which is:

  • Easy to remember so that is doesn’t have to be written down.
  • Difficult to guess.
  • Resistant to automated brute force password cracking programs.

Don’t think of it as a password, think of it as a passphrase. Using any single word makes it easier to guess or crack.

Actually, using any combination of easily remembered dictionary words also makes it easier to guess than a string of apparently random characters.P

So, how do you come up with a long password with apparently random characters that you can easily remember

  • Identify one or more sentences which have a total of say 15 words (see example below) that you can easily remember, such as your favourite quote from a movie, favourite passage from a book or a song.
  • Better still make up the sentence yourself so that there is no frame of reference for a would be password cracker.
  • Then use the initial letters of the words you have chosen to create your password.
  • If the phrase has proper nouns in it, use the upper case letter to represent them.

Example, quoted by Samuel L Jackson, in Quentin Tarantino’s film Pulp Fiction:

“And you will know I am the Lord when I lay my vengeance upon you.” (Ezekiel 25:17)

Becomes the, pretty random, 15-character password: AywkIatLwIlmvuy

  • If you know your chosen words well then it becomes easy, after only a few goes, to type in the characters as you think of the words.
  • You will only be required to change your “password” if it is believed to have been compromised, so it is worth taking the time to make it a good one starting with a phrase that includes proper nouns and number words.