Strong passwords and two-factor authentication

An easy way to protect your online accounts is to create strong passwords and set up multi-factor authentication. Follow our advice to keep your accounts safe and secure. 

We recommend you change your password regularly. As a minimum, all staff have to change their password at least once a year. If you work with sensitive data, you might have to change it more frequently.

• Why do we have a password expiry policy for staff?

Top tips for account security

1. Set up two-factor authentication

Two-factor authentication (2FA) adds an extra layer of protection beyond your password. It typically involves verifying login attempts through a second device, like your phone. At York, we expect you to set up Duo and Google two factor authentication, in addition to choosing a strong password. Without 2FA, we may lock your account.

Duo protects several key University services. However, Duo isn't used to log into your University Google account – this is so that your Google access doesn't depend on campus infrastructure. This means you'll be able to access Google services, such as Gmail, even if campus services are completely down.

Find out more about Duo and Google 2FA, including set up instructions and what to do if you lose your phone.

• Duo two-factor authentication
• Google two-factor authentication

2. Use a password manager

Managing passwords can be a hassle but password managers make it easy and secure. They generate strong, complex passwords and remember them all for you. Avoid using your web browser's built-in password manager (like Chrome, Edge, or Firefox). These are vulnerable to security risks and shouldn't be used.

LastPass is our recommended password manager, available to all staff and students.

Explore LastPass (password manager)

3. Create a strong password

Strong passwords protect your accounts and personal information by making it harder for attackers to guess them. A strong password should be long, unique, and memorable.

Your password must:

• be between 10 and 72 characters
• include a mix of upper and lower case letters 
• include at least one number or symbol.

Your password must not:

• contain your username
• be your current password or a previous password
• be identical or very similar to passwords you use elsewhere
• be based on dictionary words on their own
• be based on easily discoverable information (such as the name of your pet)
• use simple substitutions (eg swapping '3' for 'E'). Tools that are used to crack passwords check these variations automatically.

Related tip: the best way to create a strong password is to use a short phrase that only you know. Think of a sentence, memory, or description, then turn it into a password by:

• Using whole words or just the first letter of each word
• Mixing in numbers, punctuation or symbols

For example:

• River_Skating-42Orange — a vivid image broken into chunks
• MyGranSingsElvis2Cats! — memorable, specific, and secure

Longer passwords that you can remember are much stronger than short, complicated ones that are easy to forget.

LastPass (password manager) generates strong passwords for your accounts, so you don't have to. It's an easy way to meet our minimum requirements.

4. Keep your password private

Malicious third parties often target users with social engineering tactics, attempting to trick you into revealing your password. Remember these essential security tips:

• Never share your password with anyone, not even us. 
• Be cautious of unexpected requests. When someone asks for personal information, especially passwords, it could be a phishing attempt.
• Don't click on links in suspicious emails or messages. Scammers often use fake websites to trick you into entering your password.