User passwords must meet the following requirements:
- The password is at least eight characters long.
- The password contains characters from at least three of the following five categories:
- Uppercase letters
- Lowercase letters
- Base 10 digits
- Non-alphanumeric characters
- Unicode characters which are categorized as alphabetic but are neither upper nor lower case (use of these is not recommended)
- The password does not contain three or more sequential characters from the user's account name.
The precise definition of what counts as a letter is documented in detail by Microsoft. Characters outside the ASCII printable set permitted but are best avoided because of the difficulty of typing them on many keyboards.
These complexity requirements are enforced upon password change or the creation of new passwords. The password you are issued with at the time the account was created or when you request a reset at reception will conform to these requirements. We recommend that you choose a longer password rather than just using the minimum length necessary. You are unlikely to exceed the maximum permitted length. Some older systems may not accept more than about 28 characters. Around 12 characters is a good compromise between security and convenience.
We do not enforce a regular password change interval, believing that this does more harm than good. However it is important that you change your password if you have any reason to believe that it may have been compromised.
Attempts to change the password to something which does not conform to these requirements is signalled clearly under Windows but the exact cause of the failure is not stated. Linux users will be presented with the more cryptic string "Authentication token manipulation error" if the new password fails to meet the complexity requirements.