Passwords: Frequently Asked Questions

How do I change my password?

You can use the Password Change web form at https://www.essex.ac.uk/password/  (accessible on or off campus)

or

You can use the password change program on any University managed Windows PC by logging in with

    Username: pwchange@essex.ac.uk
    Password: changepw

This will allow you to change your password using :-

  • your current/most-recent working password
  • your external email address and passphrase
  • a recently assigned one-time password

You can also request a one-time password to be sent to your registered mobile or external email address.

What is my external email address?

If you have another email address (e.g gmail, hotmail, yahoo address), then you can register this email address with us along with a passphrase and security question. You can then use this email address and passphrase to change or reset your University password. In addition, you will be able to use the same email address and passphrase once you cease to be a member of the University to access some of our resources (e.g. exam results, Alumni website etc). If you haven't already registered an external email address, you will be prompted to do so each time you change your password. It is optional though and you can choose not to register one (see managing your external email address for more information).


 

What is a one-time password and how does it work?

Using the 'request a one-time password to be sent to my registered mobile phone or external email address ' option allows you to request a one-time password to be sent to your registered mobile number or external email address, and is a two-step process.

  1. The first time that you use this option, you will be asked for your PRID (as printed on your student registration card or staff card) and your date of birth. Once we have these details, we can check whether we have a mobile number or external email address registered for you and if we do, you can request that a one-time password be sent to either (or both) of these.
  2. For one-time passwords sent via text message to your mobile number, you can use the 'one-time password issued in last 24 hours' option to enter your one-time password and then assign yourself a new password.
    For one-time passwords sent to your external email address, what you will actually receive a simple URL. You only need to click on this to be taken to a webpage asking for your login name, after which you can assign a new password.

Current students can check and update their registered mobile number using the update my contact details link within the myAdmin section of the myEssex web site.

Staff will be able to check and update their registered mobile number once the staff portal is available. Until then, staff are generally restricted to sending one-time passwords to their registered external email address.

All registered staff and students can manage their external email address (and passphrase) via the website https://www.essex.ac.uk/passphrase

Notes:

  • One-time passwords can only be used with the password change form to assign a new password
  • One-time passwords are only valid for the account for which they were issued
  • One-time passwords are only valid for 24 hours from the time of issue
  • Once you have used your one-time password, you can't use it again
  • One-time passwords can also be issued from the IT Help Desk

May I tell others what my password is?

Absolutely not. In doing so you would be in breach of the IT Services Rules and Regulations. For your own benefit also, you should not divulge your password to anyone else. If others use your account in an inappropriate manner, you will be held responsible for their actions.

You should also note that we will never ask you for your password and you should never write it in an email message - even if asking for help from us.
 

How often should I change my password?

New account holders should change their passwords immediately. Thereafter, all account holders must change their passwords at least once every four  months. It is up to you if you wish to change your password more frequently than this. Note that you should not attempt to change your password more than once within any two hour period. It is unlikely to work!
 

What will happen if I don't change my password?

If you haven't changed your password for three months (or if your account has just been opened) you will then receive four email warnings spaced at weekly intervals informing you that you must change your password imminently. If you still have not changed your password after the fourth warning, your account will be disabled. You will not lose any data if this happens but you will not be able to log in. In order to get your account working again, you have the following choices :-

  1. Change your password via the password change web form (you can use your most recent password, your external email address and passphrase or send a one-time password to your registered external email address or mobile number). Doing this requires that you have access to the webpage (which you can get to in selected IT Services PC labs using the pwchange account*) but it does mean that your account will be active immediately after changing your password. See How do I change my password above for details.
     
    or
     
  2. Contact the IT Help Desk and request a one-time password. You will need to prove your identity via either your registration card or other means. It will always be quicker and more convenient for you to use the password change form to issue a one-time password to your registered external email address or mobile number where this is possible.
     

What if I forget my current password?

If you forget your current password, you have three choices:

  1. Via one-time password
    If you have registered an external email address or mobile phone number with the University, then you can request a one-time password be sent to either or both and can then use this one-time password to assign yourself a new password - see What is a one-time password and how does it work? for details
     
  2. Via external email address and passphrase
    If you have registered an external email address and passphrase, you can use the Password Change web form to change your password using these details. Using this method to assign a new password means that you can get back up and running very quickly - including during times when the IT Help Desk is closed. We strongly recommend that you do register your external email address if you have one.
     
  3. In person or by phone
    Contact the IT Help Desk. We will not be able to tell you what your existing password is but we will be able to issue a one-time password so that you can assign a new password. Note that you can only do this during the hours that the relevant IT Help Desk is open (normal working hours)
     

Please note: We are not able to assign one-time passwords unless you visit the IT Help Desk in person with your registration card or can prove your identity in some other way.
 

How long after I have changed my password does my new one become valid?

On Windows based computers on campus, your password change is effective immediately. If you are logged in at the University of Essex using your login and old password, you should log off immediately and then log back in to ensure that windows is using your new password. If you do not do this, you may experience problems accessing your email or network shares.

On Unix computers on campus, password changes may not take effect for up to 15 minutes. You may therefore need to use your old password on a unix computer during the 15 minutes after you have changed your password.

When accessing University based resources remotely that require you to login (e.g. email or web pages), it should be enough to restart the particular application and login again to gain access.

However: If you have your password reset by the IT Help Desk, your new password will not be active until sometime later in the day. They will advise you of the exact time when they make the change.
 

Exactly what constitutes a valid password?

  • Passwords must be between 8 and 40 characters in length.
  • Passwords longer than 16 characters that contain at least one space are exempt from the complexity rules below.
  • Passwords shorter than 16 characters must contain characters from three of the four character sets:
Upper case letters A - Z
Lower case letters a - z
Numerals 0 - 9
Punctuation characters ! " # $ % & ' ( ) * + , - . / : ; = ? @ [ \ ] ^ _ ` { } ~
  • Passwords can contain embedded spaces.
  • Passwords should not include single words from the dictionary or repeated sets of characters.
  • Passwords are tested to ensure that they are secure before they will be accepted.

Choosing a simple password longer than 16 characters that contains at least one space will work - for example

  • longer than sixteen
  • the more the merrier!

Why can't I use a simple word for my password?

The program to change passwords has been modified so as to be extremely picky about the passwords it is prepared to accept. It uses an internal dictionary that contains a large number of commonly used passwords. It will reject passwords that are either found in this dictionary or can be generated by the application of some simple rules to a word in the dictionary. It will also disallow many strings that look like car registration numbers, postcodes or palindromic strings.

We are aware that this is annoying. It is there to prevent misuse of the Computing facilities. Without such stringent rules we would have very little protection against other users determined to breach the security of our systems.
 

Why are you making me change my password? My current one works just fine

You may well feel that your password is private to you and you should be the one to decide whether it should be changed. This is entirely true but it is not the entire picture. Consider the following hypothetical points:

There's nothing private on my area: if anyone wants to read it, I don't mind

Someone who finds out your password can do far more than read your files. They can do everything that you can do on any computer to which they might have access (maybe by connecting as you across the network), including all the things you could do, but wouldn't, because of the trouble and embarrassment it would cause you. Not only can they read your files, they can delete or alter them. They can send email and post to newsgroups - messages that will appear to have come from you. They can download pornography onto your area. In short, they can breach (albeit in your name) most of the Conditions of Use of the Computing Facilities, and several civil and criminal laws.

But no one would do that to me, surely?

Well, most people wouldn't: Its doubtful that one person in a thousand would want to cause trouble for someone they didn't know. Unfortunately, some people are simply malicious: and some of them have network access. In all probability, none of these people will ever find out your password. But one might: why take the risk?
It's nothing personal
For the reasons above, IT Services would advise you to change your password frequently, to protect yourself. The reason we insist that you change your password is to protect others. Once someone has broken into your account, they can inconvenience others in two ways:
  1. Denial of Service attacks.
    Computing resources are not infinite: It is easy to set up processes which take nearly all of a given resource (CPU cycles, network bandwidth, etc.), thus taking it away from all other users. IT Services would soon become aware of problems of this nature and would take steps to rectify the situation, but other users could be inconvenienced. If a Denial of Service attack is targeted on some external site, the University's good name may be compromised.
     

  2. A platform for more serious attacks.
    A malicious cracker really wants to gain administrative access to the systems s/he has broken into: once this is achieved, the entire system is available for attack. There are many ways of managing this but most of them first require access to an account (any account). Thus the security of your account is the first hurdle in the path of a cracker: if they can break into your account, it's a good step on the way to gaining further privileges.

And the culprit will appear to be you.

Why every four months - this makes the password less secure as I will need to write it down.

The four month change rule is broadly in line with most other Universities (see other sections of this webpage for why). We believe that if you follow the guidlines given here and elsewhere, you should be able to set a memorable password without having to resort to writing it down.

My bank doesn't require me to change my password every 4 months - why do you?

Your bank usually requires more than a password to access your account. For this reason, it should not be necessary to change your banking password often.

My ISP doesn't require me to change my password - why do you?

Your ISP is only protecting access to your account with them. There isn't generally much that this account gives you over and above the ability to connect to the Internet and maybe access an email account with the ISP. Universities are different in that they are relatively open organisations with a lot of high value resources (email accounts to send spam, high bandwidth, open networks, computers allowing interactive login etc.). Your account also grants access to personal resources like your student record, exam marks, submit coursework etc. which should remain private to you.