New password policy for NHSmail accounts: you spoke, we listened, we acted.

​Dr Ian Bergin is the Digital Project Manager at the Office of the Chief Dental Officer, England. Here he provides an update on access and security changes to NHSmail.

A frequently cited issue with using NHSmail accounts is that changing your password every 90 days is administratively onerous. While this is in line with most enterprise email security policies, we have listened and agreed a new approach in line with National Cyber Security Centre guidelines. In the future, email passwords will last for 365 days.

In order to keep the NHSmail secure, you will need to change your existing password, regardless of when you last changed it. You will be (or will already have been) sent several reminders asking you to do this. If you fail to reset your password from these prompts, your password will expire on the indicated date, and you will need to change it at the next log-in here.

The new password must meet the following criteria (tips for creating a password can be found here):

• Minimum length of 10 characters, without requiring a mix of character types or cases.
• Not matching your previous four passwords.
• Not detected as a common password e.g. Password123, Winter2018.
• Not detected as a password used for an account that has previously been compromised. These are sourced from an internet-based breach database.

Also, please don't forget to update your personal details, such as mobile phone number, on your record, as this can help to facilitate future password resets. And, importantly, make sure that passwords are changed on all the devices that you view NHSmail on.

There is more help available online, or for additional assistance, 24 hours a day, please call: 0333 200 1133 or email: [email protected]nhs.net.