Self Service Password Reset Project
When will this change happen?
What do I need to do?
What are the next stages?
Frequently asked questions
Where can I find further information?
As part of ongoing improvements to information security, the University’s existing password reset service is being replaced by Microsoft’s Self-Service Password Reset (SSPR) service.
This change will require all staff and students to register for the new Self-Service Password Reset service, however any staff members already enrolled for Multi-Factor Authentication (MFA) will automatically be registered for Microsoft’s SSPR.
In addition, the University’s Password Policy is changing – passwords need to be longer, however they’ll require less complexity – which means that you may need to change your existing University password.
The new Self-Service Password Reset service is now live for use by staff and students.
You should change your password to meet the requirements of the new Password Policy as soon as possible, before it becomes mandatory.
At a later date the new password policy will be enforced requiring you to change your password if it hasn't been changed in the last 365 days.
You should now:
1. Register for the Self-Service Password Reset (SSPR) service
If you’ve not already registered for SSPR then you will be prompted to register the next time you log in.
2. Change your password to meet the requirements of the new Password Policy
The new Password Policy can be found here: Password Policy
The main changes are:
- The minimum password length has changed to 15 characters.
- There will no longer be complexity requirements, i.e. you won’t need to use a mixture of upper and lower case letters, digits and special characters.
- Passwords will expire every 365 days, and must be changed whenever they are suspected of being, or known to be compromised.
Although the number of characters has increased, the removal of complexity means that you can use passphrases or random words to generate your password which will make it easier to remember.
The new password policy will be enforced requiring you to change your password if it hasn't been changed in the last 365 days.
Get prepared and change your password now to avoid being prompted at a time that may be inconvenient to you.
All staff and students will be notified in advance of the date for this change.
What if I don’t want to register a mobile phone number or add the Authenticator App?
We would recommend that you register a mobile device, however if you don’t have one or prefer not to for other reasons, then you can register using secret questions and answers.
Please note: the previous Password Manager service uses secret answers and questions for password retrieval however these will no longer be valid and you’ll be required to set new ones.
Why is the Password Policy changing?
The implementation of this Password Policy will strengthen Edinburgh Napier’s information security as well as improving compliance with the Cyber Essentials Plus accreditation which we achieved in 2019.
Passwords are often the only thing standing between a cyber-criminal and full access to your accounts – which is why it’s so important that they’re strong and resistant to attack.
Recent research by the NCC Group has indicated that password length is more effective than password complexity – a minimum length of 15 characters is more secure and harder to crack than a shorter, mix of numbers, letters and special characters.
Will Associate Staff accounts be required to register and comply with the new policy?
Yes, Enhanced Associate and Associate accounts are included. These groups of accounts should already be registered for Multi-Factor Authentication (MFA) and therefore already have an authentication method registered for the Self-Service Password Reset service. An email has been issued to these groups specifically to remind them to register and give them information about the new password policy.
Will Limited Associate accounts be required to register and comply with the new policy?
Yes, Limited Associate accounts will be included in the service from Monday 26 October.
Limited Associate accounts don’t have an @napier.ac.uk email address and we are rolling out the change to them in a slightly different way. We will email them at their registered personal email address to inform them of the change.
After Monday 26 October, when Limited Associates next log on to an Edinburgh Napier online service using their 4XXXXXXX number, such as email, MS Office apps or Moodle, they may be prompted to register for the Self-Service Password Reset service. If not then they can register by visiting https://mypassword.napier.ac.uk/ and clicking Register for Self-Service Password Reset service. When they next change their password it will need to meet the new Password Policy.
Why am I being prompted for Multi-Factor Authentication (MFA) when I sign in to Office 365 from the Virtual Desktop Service (VDS)?
The Virtual Desktop Service (VDS) is currently excluded from Multi-Factor Authentication (MFA), so sign-ins to Office 365 services are possible using only a username and password. The exception to this is if you are a member of staff who has not previously completed the mandatory Self-Service Password Reset enrolment (SSPR). SSPR enrolment for staff requires you to authenticate using MFA, regardless of where you are connecting from.
Once you have signed in using MFA and completed the SSPR enrolment process, you will no longer be prompted for MFA when accessing Microsoft 365 services from the Virtual Desktop Service.
Where can I find further information?
The full Password Policy can be found here: Password Policy
Further information about Passwords can be found on the Staff Intranet, myNapier and askNapier.
If you have any questions or concerns, please contact the IS Service Desk in the first instance.