Why do I need to change my password every 90 days?

As part of the University’s policy, as set out in Computer Account Passwords (ISP-I9)PDF icon, you are required to change your password every 90 days. This policy is ratified by the Information Security Policy steering group.

Many staff use their University IT account on a range of devices such as smartphones and tablet devices which can considerably increase the chances of passwords being compromised. Whilst regular password changes won’t prevent a major security breach, such as someone hacking into your account, it will limit the period of exposure. This is particularly important where it is difficult to detect that an account has been hacked.

Regular changes to passwords can carry its own risks, however it is felt that 90 days between password changes, just four times a year, ensures that passwords are refreshed regularly, but not so often that it leads to confusion.

IT Services review current trends in password security regularly. We do stay current with best practice and have seen the recommendations from the UK government’s National Technical Authority for Information Assurance (CESG and similar agencies). These and other recommendations rely on new technology to reduce the need to change your password regularly and improve the user experience. However we are not currently in a position to introduce these changes. So for now, it is necessary to change your password every 90 days or sooner at your convenience.

Share this page:

Filed under: