The NHSmail password policy was introduced in May 2019 to help keep the NHSmail service safe in line with the National Cyber Security Centre (NCSC) guidelines.
Passwords are valid for 365 days all users will receive reminders to change their password via email 18, 10, 5, 2 and 1 day(s) before it is expiry date.
. All passwords must follow the following criteria:
- Minimum length – 10 characters without requiring a mix of character types
- Not matching previous 4 passwords
- Not detected as a common password, for example Password123, Winter2018
- Not detected as a breached password (a password used for an account that has previously been compromised). Breached passwords will be sourced from an internet-based breach database
Some reminders to help users keep their NHSmail account active and get the best experience from their account:
- Add mobile number and security questions to their profile – this will allow a user to reset their own password and unlock their account.
- Change password on all devices – to prevent their account from becoming locked, users will need to update their password on all the devices (including personal devices) that they use to access NHSmail, for example mobile phone, Outlook desktop, tablet etc.
Further information is available in the guidance below: