If you have been locked out of your account, you will not be able to change your password using the guidance in this article, and you will need to contact your local IT or NHSmail helpdesk.
Register at least one authentication method to be able to reset your password online 24/7 without contacting your local IT or NHSmail helpdesks.
To keep your account secure you will need to change your password every 365 days. You will be reminded to change your password via email 18, 10, 5, 2 and 1 day(s) before it expires.
Remember, you must change your password immediately if you think someone else knows what it is. If your password expires, you will need to contact your Local Administrator.
Following a password change, to prevent your account from becoming locked you will need to update your new password on all the devices (including personal devices) that you use to access NHSmail, for example mobile phone, Outlook desktop, tablet etc.
If your organisation has adopted Same Sign On, changing your NHSmail password will also change the password used to access your workstation through local Active Directory. Likewise, if you change your password on Active Directory (e.g. changing the password on your workstation, or IT reset password for you) this new password will apply to your NHSmail account. The NHSmail Password Policy and one-year expiry date will apply to both accounts, NHSmail and local Active Directory, so you will only be required to change your password on one system.
If you are new to an organisation and have been given a new NHSmail account, if your organisation has adopted Same Sign On you will need to reset your password after your NHSmail account has synced to ensure both your NHSmail and local Active Directory passwords are the same. Please wait up to 24 hours before resetting your password to ensure your NHSmail account has had time to sync.
If you have recently transferred to a different organisation and taken your existing NHSmail account with you, if your new organisation has adopted Same Sign On your NHSmail and local Active Directory passwords will synchronise when you change one of them. It is recommended that you wait 24 hours before changing or resetting your password after you transfer to a new organisation to ensure your NHSmail account has had time to sync with the local Active Directory.
Once a user has migrated to Exchange Online, they will no longer be able to update their password through the Outlook Web App (OWA) ‘My Account’ https://myaccount.microsoft.com/ option and will see the following message displayed
Users are advised to change their password using the ‘Profile’ section on the NHSmail portal following the below steps.
Change Password To change your password, click on the Change Password button
Please wait for 2-3 minutes before signing in after a password reset as it may take 2-3 minutes to synchronise between On-Premise and Exchange Online.
Alternatively:
1. Go to the NHSmail Portal at www.nhs.net, click on ‘Login’ in the top right-hand corner of the page and login using your current NHSmail username and password.
2. Click Profile in the navigation bar at the top of the screen
3. Click Change Password at the top right of the screen
A new window will open
4. Enter your email address and your old password. You will need to enter your new password twice in the fields provided
Note: Refer to the Additional Information box below for information on password requirements
5. Click Submit
When your password has been updated you will see the message
6. Click the cross at the top right to close the window
You will need to open a new browser, navigate to www.nhs.net and use your new password when you next log on. To prevent your account from becoming locked, remember to update this new password on all the devices (including personal devices) that you use to access NHSmail, for example mobile phone, Outlook desktop, tablet etc.
For your password to be valid it must meet the following criteria:
- Minimum length – 10 characters without requiring a mix of character types
- Should not contain the ‘£’ character
- Not matching previous 4 passwords
- Not detected as a common password, for example Password123, Winter2018
- Not detected as a breached password (a password used for an account that has previously been compromised). Breached passwords will be sourced from an internet-based breach database.
Your new password can be used for up to 365 days.
If you receive an error when attempting to change your password, check that it meets the requirements listed above and try again.
A good way to create a strong and memorable password is to use three random words. Users should be creative and use words that are memorable to only them, so that people can’t guess their password.
| Last Reviewed Date | 27/07/2023 |
