Password policy and Guidance

Information Services, University of Stirling

User Passwords


  1. University usernames and passwords are unique and used to grant access to information and resources specific to individual needs.
  2. They are used to identify and log user activity on University systems and services.
  3. Passwords must be kept confidential, they should never be shared or disclosed to anyone. The University will never ask for your password.
  4. A password used for access to University resources must not also be used to access any other, third-party, resource.
  5. Users must inform Information Services if they know or suspect that their password has been compromised. 
  6. In the event of a password being compromised the user will be required to change the password to one they have not previously used.


User, to:

  • set a strong password
  • keep their password secret
  • use their University password only for their University account
  • inform Information Services if they think that their password may have been compromised
  • change their password if required to do so by Information Services
  • if required to change password, not reuse any previously used password

Information Services, to:

  • educate users about information security relating to passwords
  • use all reasonable technical measures to prevent password compromises and detect them when they happen
  • notify users when their passwords are believed to have been compromised and require those passwords to be changed

Password rules

  1. User passwords must be a minimum of 12 characters in length.  There is no maximum length.
  2. Passwords must be constituted from a combination of upper case characters (A-Z), lower case characters (a-z), and numerals (0-9) with at least one of each type.
  3. Users must not incorporate into their password any easily guessed information about themselves (e.g. own names, date of birth) or their family (e.g. partner’s or children’s names, or dates of birth), breeds or names of pets, home address, make of car, etc.
  4. Passwords must not be based on commonly used words or phrases such as “password”, “letmein”, “opensesame”.  A list of commonly used passwords.
  5. There is no default time limit on the use of a password; a password will not need to be changed unless there is reason to believe that it has been compromised.

As per Policy, if a password change is required, the user must create a password that they have not used before. 

Guidance in setting a 12 character password

At first it might seem quite an onerous job to think of a 12 character password. The National Cyber Security Centre advises…

Use three random words to create a strong password

A good way to create a strong and memorable password is to use three random words. Numbers and symbols can still be used if needed, for example 3redhousemonkeys27!

Be creative and use words memorable to you, so that people can’t guess your password. Your social media accounts can give away vital clues about yourself so don’t use words such as your child’s name or favourite sports team which are easy for people to guess.

Cyber criminals are very smart and know many of the simple substitutions we use such as ‘Pa55word!” which utilises symbols to replace letters.

Never use the following personal details for your password:

• Current partner’s name

• Child’s name

• Other family members’ name

• Pet’s name

• Place of birth

• Favourite holiday

• Something related to your favourite sports team

You will only be required to change your password if it is believed to have been compromised, so it is worth taking the time to make it a good one.