Accessibility statement

Password policy

A password policy is a set of requirements to ensure that passwords are strong and changed on a regular basis to reduce the risk if they are stolen. 

All staff and associate staff need to change their password at least once a year, and more strict policies may be required for those working with sensitive data.

Students do not have password policies applied to their accounts. 

More information about the policy and its application can be found at:

  • Method Statement - Password management


Why do we have password policies?

Applying password policies to staff accounts is a recommendation of our auditors and funders. 

For a more detailed explanation, see:

Why do some staff have a stricter policy than others?

In order to assure our funders that everyone with access to their data has a policy that meets their standards.

Staff in departments who have access to sensitive data, eg staff in the Finance department, may have a 90 day password policy applied.

When will I need to change my password?

If you're a new member of staff, the date you first have to change your password is randomly set to be between two months and 12 months after your registration date.

After this, you'll need to change your password every 12 months.

The first date is set randomly to allow us to evenly distribute the dates, and avoid peaks where everyone needs to change their password at the same time.

It’s not convenient for me to change my password right now. What can I do?

You will be sent an email with the date by which you will need to change your password. The aim of this email is to give you sufficient notice to change your password at a time that's convenient to you.

For more information on changing your password, see:

How do I know that an email asking me to change my password isn’t a phishing attack?

Information security policies at the University stipulate that all staff must change their IT Services password at least once a year. The emails you receive regarding changing your password should be clearly recognisable as legitimate. However, if you are in doubt, you can follow the instructions to change your password from the IT Services website:

More advice on recognising and dealing with malicious emails can be found on the following page:

Are there any policies or rules governing the password I choose?

Your passwords must be 9 to 72 characters long and should contain a mix of upper and lower case letters and at least one number. More information can be found on the following page:

My password has expired, what should I do?

You can log in to York Identity Manager (IDM) for up to four weeks after your password has expired to change it. During this time, you can also log in to a managed PC where a message will be displayed advising you to change your password.

My password has expired and I don't have time to change it. What should I do?

Unfortunately you will need to change your password in order to gain access to IT systems and services again. You will receive regular reminders to change your password before your password expiry date to minimise the likelihood of this situation arising. 

If you have an important meeting, presentation or engagement on or near to the date your password expires, it would be prudent to change your password beforehand.

Will using the 'Forgot password?' option count as changing my password?

No, this will be registered as changing a forgotten password, and will not be recognised as a valid change to meet the requirements of the password policy.