Information Services Division


Password Change Requirements

Why do I have to change my password so often?

The main reason for regular password changes is to limit an account's exposure to misuse. Every time you type in your password it is at risk of compromise - by someone looking over your shoulder, through interception as it travels across the network, and so on. The more it's used the more opportunities there are for it to be disclosed inadvertently. Also, there are certain types of 'brute force' attacks - trying out every possible combination of characters to work out your password by trial and error. Regularly resetting passwords may reduce the risk of this kind of attack, or at least make it less attractive, given that the process will need to be repeated time and again.

Note that, with the new MyAccount service you can get longer between password resets by setting a stronger password.

But I really don’t have anything worth hacking into…

Maybe so, but protecting your personal account is only part of the story. Even if you don't keep sensitive information in your account, others do. Allowing unauthorised access via your account may compromise the security of their information. Also, people often use compromised accounts for sending SPAM (and we all know how annoying that is). Some kinds of attack are only possible if you already have basic access to the system - so guard your password carefully. If you think someone else knows it, tell the ISD IT Services and change it immediately.

There are also administrative reasons why forced expiration of passwords is desirable. For example, expiring passwords allows any change in password policy to be brought in across the entire organisation within a fixed timescale. It also helps identify inactive or overactive accounts.

Password policy

Read the UCL password policy for further information.