Passwords at Oxford

1. Password Security

You are the target - protect yourself!

See Password Security for more information.

2. Passwords administered by IT Services

IT Services manages the passwords for the services listed below. Please note that each service is administered separately - changing a password for one service will not change anything else.

3. Password guidelines

  • Do not use the same password for different services.
  • Do not reveal your password to anyone. IT Services will never ask you for a password.
  • Do not write your password down.
  • Never include a password in an email message. If you do, we will change your password, protecting your account but causing you inconvenience and delay.
  • It is essential to change a password promptly if you have any reason to think that someone else may know it.
  • Use a secure password management app on your smartphone, tablet or PC.
  • Change your password regularly, not just when you are prompted to do so.

GCHQ have produced a password guidance document which contains some useful advice.

4. Passwords for services external to IT Services

IT Services does not administer the passwords for logging on to your college or departmental computer network. Contact your local IT Support if you need help or advice regarding logging in to a local network.

IT Services is also unable to help with passwords for Oracle Financials or passwords used in Libraries.

5. Changing a password

5.1 Oxford (SSO) account

An SSO account password has a lifetime of one year. You will start to be prompted to change it three weeks before it is due to expire.

  • An SSO password must include characters in three of these classes:
  1. Lowercase letters (a-z)
  2. Uppercase letters (A-Z)
  3. Digits (0-9)
  4. Punctuation characters (&,'^!."[]+- etc)
  • An SSO password:
  1. Must not be a dictionary word or a name.
  2. Must be different from, and not based upon, your Oxford username.
  3. Must not be one of your five most recent passwords.
  4. Must differ from the previous password by at least three characters.
  5. Must differ from the answer to your security question.
  • If you know your old password you can use it to set a new password.
  • If you have not done so, you are strongly recommended to set a security question. If you subsequently forget your password, this will allow you to recover the situation yourself without having to contact IT Services. This can save you a lot of trouble if you are regularly away from Oxford.
  • You can reset a forgotten password if you have set a security question. You have 3 chances to answer your security question correctly before you are locked out. If you cannot answer your security question please contact the IT Services Help Desk.
  • If you have forgotten your password and have not set a security question, or you don't know the answer, you will need to obtain a Rescue Code (see below).
  • If you have to use a Rescue Code, you will need to set a Security Question before you can reset your forgotten password.

5.1.1 Obtaining a Rescue Code

To obtain a Rescue Code, contact your local IT Support staff or the IT Services Help Desk. The options are:

  • Local IT Support Staff are able to set rescue codes for their users.
  • Telephone or, preferably, email the IT Services Help Desk and a rescue code will be sent to your college or departmental address by University Messenger. If you have registered an alternative email address the recuse code can be sent there instead.

5.2 Remote Access

Remote Access passwords have the same formatting rules as SSO passwords. Backslashes, backticks, spaces and single and double quotes are not allowed, though.

A Remote Access password does not expire annually. Instead its expiry date is linked to the lifetime of the user's University Card at the time that the password is changed.

A Remote Access password can be changed at any time. A new password will become active within 15 minutes.

Do not set your Remote Access password to be the same as your SSO password.

5.3 TSM backup

Routine changes to your TSM password must be done using the client software on your workstation. If your TSM password has expired, you can use the self-registration web page to set a new one in the same way as for a forgotten password.

5.4 Chorus

Your Chorus password and/or PIN can be changed at

Written by IT Services. Latest revision 1 December 2015