1. Home
  2. Passwords and Unlocks
  3. NHSmail password policy

NHSmail password policy

The NHSmail password policy was introduced in May 2019 to help keep the NHSmail service safe in line with the National Cyber Security Centre (NCSC) guidelines.

Passwords are valid for 365 days and all users will receive reminders to change their password via email 18, 10, 5, 2 and 1 day(s) before it’s expiry date.

All passwords must follow the following criteria:

  • They must be 10 characters or more in length without spaces;
  • They must not match the previous 4 passwords used;
  • Must not contain the users First Name or Last Name within the password;
  • Not detected as a common password, for example Password123, Winter2018;
  • Not detected as a breached password (a password used for an account that has previously been compromised or identified as having been breached according to an internet-based breach database).
  • Please refer to the Application account guidance for more information regarding Application account password complexity requirements.
Important note

We know that common passwords are currently used on the NHSmail service by a number of users. In the future, users who do not meet the above criteria will receive a failure message when changing their password.

Top tip

A good way to create a strong and memorable password is to use three random words. Users should be creative and use words that are memorable to only them, so that people cannot guess their password.


Mobile numbers used to register for an NHSmail account must be based in the United Kingdom. Any NHSmail account registered with non-UK number will be disabled and will need to contact their local organisation to apply a UK based phone number to their NHSmail account. Please see Information – Non-UK registered Phone Numbers for more information.

Some reminders to help users keep their NHSmail account active and get the best experience from their account: 

  • Record a UK mobile number and set a user account secret to their profile – this will allow a user to reset their password via their local IT or NHSmail Helpdesk. 
  • Register at least one authentication method on their account – this will allow users to reset their password online at any time without contacting your local IT or NHSmail Helpdesk
  • Change password on all devices to prevent their account from becoming locked, users will need to update their password on all the devices (including personal devices) that they use to access NHSmail, for example mobile phone, Outlook desktop, tablet etc.

If you require additional help and support, the NHSmail helpdesk is available 24 hours-a-day, 7 days-a-week on 0333 200 1133 or by emailing helpdesk@nhs.net.

Last Reviewed Date 27/07/2023


Updated on 27/07/2023

Related Articles

Need Support?
Can’t find the answer you’re looking for? Don’t worry we’re here to help!
Contact Support
back to top