Introducing the new and improved NHSmail password policy

21/05/2019 – We are frequently making security improvements to the NHSmail service and with effect from 23 May 2019 we are introducing a new password policy in line with National Cyber Security Centre (NCSC) guidelines.

To help keep the NHSmail service safe, within 45 days of the new policy coming into effect all users will be asked to change their NHSmail password regardless of when it was last changed.

Within this 45-day period, all users will receive reminders to change their password via email 18, 10, 5, 2 and 1 day(s) before it is due to expire.

Note: If users don’t change their password in response to these reminders, their password will expire and they will be required to change it at next login via

New passwords will be valid for 365 days instead of the current 90-day expiry and must meet the following criteria:

  • Minimum length – 10 characters without requiring a mix of character types
  • Not matching previous 4 passwords
  • Not detected as a common password, for example Password123, Winter2018
  • Not detected as a breached password (a password used for an account that has previously been compromised). Breached passwords will be sourced from an internet-based breach database.
Important note

We know that common passwords are currently used on the NHSmail service by a number of users. In the future, users who do not meet the above criteria will receive a failure message when changing their password.

Top tip

A good way to create a strong and memorable password is to use three random words. Users should be creative and use words that are memorable to only them, so that people can’t guess their password.

Some reminders to help users keep their NHSmail account active and get the best experience from their account:

  • Add mobile number and security questions to their profile this will allow a user to reset their own password and unlock their account.
  • Change password on all devices to prevent their account from becoming locked, users  will need to update their password on all the devices (including personal devices) that they use to access NHSmail, for example mobile phone, Outlook desktop, tablet etc.

Further information is available in the guidance below:

back to top