90 day password change policy
Compromised IT accounts could potentially allow access to confidential research data, exam material, or staff and student personal information. In order to reduce the risk of this occurring, the University is extending the existing policy where staff are required to change their strong password every 90 days, to all staff, postgraduate research students and departmental IT accounts
As part of the University’s policy, as set out in , you will now be required to change your strong password every 90 days. Approximately 35% of staff are already required to change their password every 90 days, and from May 2015 this will be extended to include all staff, PGR students and departmental accounts. This policy is ratified by the Information Security Policy steering group.
Many staff use their University IT accounts on a range of devices such as smartphones and tablet devices which can considerably increase the chances of passwords being compromised. Whilst regular password changes won’t prevent a major security breach, such as someone hacking into your account, it will limit the period of exposure. This is particularly important where it is difficult to detect that an account has been hacked.
Regular changes to passwords can carry its own risks, however it is felt that 90 days between password changes, just four times a year, ensures that passwords are refreshed regularly but not so often that it leads to confusion.
You can change your password anytime you wish. It is good practice to actively consider when would be a good time for you to change your password rather than rely on the 90 day requirement.
For six weeks from 11 May 2015 there will be a phased implementation. If your username begins with the letter listed, the 90 day password policy will be applied to your IT account sometime during that week.
|During the week of||Usernames beginning with|
|11 May||A – D|
|18 May||E- J|
|25 May||K – O|
|1 June||P – S|
|8 June||T – Z|
|15 June||Departmental IT accounts|
- All University staff (including externals), postgraduate research students and departmental IT accounts
- Staff and PGR students in Cancer Studies, Health Sciences and all of Corporate Services already have to change their password every 90 days.
- Staff in Clinical Trials Unit (CTU) will continue to change their password every 30 days
What do I need to do now?
You will receive email notification 14, 7 and 1 day before the change is introduced for your IT account.
However you can change your password anytime at your convenience and if you have changed it within the 90 days prior to the implementation date then you will not be required to change it again that week.