Skip to main content Skip to navigation

Information Security: Passwords

The use of passwords helps to control the risk of unauthorised access to University information. However, the use of public computers or internet services presents a threat as usernames and passwords could be stored or shared inappropriately, and sometimes without your knowledge. Whilst nothing can absolutely guarantee the security of passwords, the following working practices will help minimise this risk by increasing password security.

Everyone will use passwords/PINs as a first-line security control on ALL devices (e.g. PCs, laptops, smartphones) processing University information and will not share these details with anyone.

University IT Services will never ask for your password and neither should anyone else. If someone asks you for your password, you can politely say no.

Everyone will create passwords adhering to the minimum password standard for University information and systems:

  • Easy to remember (i.e. doesn't need to be written down) but difficult for others to guess
  • Longer than 8 characters -the longer the better!
  • Contain one character from the following: numbers, letters in uppercase, letters in lower case, symbols such as £$%^&*
  • Changed immediately if you suspect someone knows it (some corporate information systems (PSe, SITS) will require a frequent change as part of usual practice)

Don't use your University username/email and password as login details for other accounts. This is to limit access to systems and exposure if your University account is compromised. Same applies to any other passwords you have!

Use the IT Services 'Change Password' tool to reset your password -

This includes a check against the University minimum standard above.

Passwords for files or devices must not be sent with the file or device. You will communicate the password via another mechanism e.g. by email, text or phone. Passwords for protected email attachments must never be sent in the same email as the attachment.

IT Application Administrators will be responsible for the appropriate application and management of password controls (based on the classification of the information)

In cases where Reserved information is being used, it may be appropriate to use a password which is longer, more complex or changed more frequently (or all three aspects) than the University minimum standards. This is for the individual or team to determine based on the potential level of impact caused by its disclosure or the likelihood that it could be targeted.

Overall Framework Info

The minimum mandatory working practices in these pages are presented in boxed text to distinguish them from recommended practices.

Current document version: 1.3

Download full PDF(PDF Document)


Tip for choosing a good password:

For example, you ran a marathon in 1998, you could take the phrase “I ran the London Marathon in 1998”, and, taking just the first letters of each word and the numbers, turn it in to:


Or simply have the whole phase or most of it without spaces.

Then for extra security, swap in some capital letters and special characters: