What's wrong with my new password?
I thought I picked a good password, but the system rejected it. Why?
We have a nice system which does not have horrible rules that force you to use upper/lower case AND special characters AND numbers (and then have to remember all that).
We don't need passwords that look like Tr0ub4dor&3 anymore. We can have (longer but) easy to remember passwords like donkeyhotelroses. No need to change the o's for 0's and f's for 5's etc, nor put capitals in.
But, if you pick an - even apparently great-looking - password which has been used by someone in the past AND that password has been obtained by hackers (and put up for sale), then our nice system may tell you that it's not allowed. We're sorry that this can be confusing, and it would be lovely to be able to get the nice system to tell you why it doesn't like your password, but that's not possible at the moment.
The password rules are really quite simple these days. New passwords must:
- be a minimum of 16 characters long
- not contain your username
- not be a previously used password
- not be circulating on the dark web as an already 'known' password
Please put a few words together and try again.
If you're interested in how the security of passwords work, have a look at our longer explanation (intranet page).
Also... I thought my password was secret. How are you comparing it with other known passwords?
Your password is secret, and we don't store it anywhere directly. Even a Nuffield sysadmin cannot look your password up.
Only a type of hash of your password is stored, not the password itself.
A hash is the result of a one-way encryption function. It's a type of unique code that corresponds to your password. You can make a hash out of a password, but - if you start with the hash - you cannot figure out what the password is.[*] We compare the hash of your password with a list of hashes of passwords which have been stolen/breached in the past. If there is a match, then we know that your password is not a good choice (as it is currently being used by hackers). But we couldn't know what your password is.
[*] OK, that's not entirely true, but for most 16-character passwords, it would take the most powerful computers years to figure it out.