Understanding NHS Mail Passwords

Person in thought with a laptop

In May 2019 NHS Mail introduced a new password policy in line with National Cyber Security Centre (NCSC) guidelines. One of the most notable changes was that new passwords are now valid for 365 days instead of the previous 90-day expiry.

What do I need to know?

All users will receive reminders to change their password via email 18, 10, 5, 2 and 1 day before it is due to expire. If users don’t change their password in response to these reminders, their password will expire and they will be required to change it at next login via www.nhs.net.

So what are the requirements when resetting your password?

The following guidelines are taken from https://support.nhs.net/2019/05/introducing-the-new-and-improved-nhsmail-password-policy/

  • Minimum length – 10 characters without requiring a mix of character types
  • Not matching previous 4 passwords
  • Not detected as a common password, for example Password123, Winter2018
  • Not detected as a breached password (a password used for an account that has previously been compromised).
A good way to create a strong and memorable password is to use three random words. Users should be creative and use words that are memorable to only them, so that people can’t guess their password.

The minimum length of a new password is 10 characters without requiring a mix of character types! So no more need for passwords like T3dd7B3arP!cn!c or L3v3M3A10n3!

Further information is available in the guidance below taken from pages found at support.nhs.net: