IT Services passwords

The Information Security team provide guidance on creating strong passwords.  GCHQ also provide further advice in their password guidance document.

Login to a service.


For specific rules for each account password, please see the relevant sections below.  These are general guidelines about all passwords.

  • Do not use the same password for different services.
  • Do not reveal your password to anyone (we will never ask you for a password).
  • Do not write your password down.
  • Never include a password in an email message (we will be required to change your password to protect your account, causing you inconvenience and delay).
  • It is essential to change a password promptly if you have any reason to think that someone else may know it.
  • Use a secure password management application on your computer, smartphone or tablet.
  • Change your password regularly, not just when you are prompted to do so.

Expand All

Multi-factor authentication (MFA) is being implemented for customers of Single Sign-on (SSO) across the University. Anyone with a Single Sign-On account will be expected to adopt multi-factor authentication. This will include:

  • A new login page, with University of Oxford branding. On this page, the customer is expected to enter only their Oxford username and Single Sign-On cresentials. This should be done in the format of abcd1234@OX.AC.UK. Note that all letters after the @ symbol are capitalised.
  • A change to the Single Sign-On password length. Customers will be required when changing their password, to use a minimum of 16 characters. This change will take place on a rolling basis, with customers required to change their passwords upon expiry of their current password.
  • Second factor – A second step will be added which involves customers receiving a code (e.g. via a mobile, landline or text message) or generating a code using the mobile app (this requires no mobile (4G etc.) or Wi-Fi connectivity to their mobile device) clicking approve and entering the code into the required field when prompted. Once the second factor is activated, the requirement to enter a code will depend on individual circumstances such as devices, settings and location, and so most users will rarely be prompted. This will be phased in for all customers starting the 11th November 2020 to March 2021. Single Sign-On customers will be changed over in alphabetical order of surname.
  • Help and guidance is available for setting up Multi-factor authentication.

Your SSO account is used to access a number of services including:

Further SSO details can be found on the Oxford Username page.


The rules the Single Sign-On password must follow are that it:

  • is a minimum of 16 characters.
  • must not be a dictionary word or a name.
  • must be different from, and not based upon, your Oxford username.
  • must not be a previously used password.
  • must differ from the previous password by at least three characters.
  • must contain at least 5 different characters.


Your SSO account password has a lifetime of one year.  You will start to be prompted to change it three weeks before it is due to expire.

  • If you know your old password you can use it to set a new password.
  • If you have set your security questions you can reset a forgotten password.
  • If you have not done so already, you are strongly encouraged to set your security questions.
  • If you have forgotten your password and have not set security questions, or provide 3 incorrect responses to your security questions, you will need a rescue code.
  • Your local IT Support Staff can provide you with a rescue code.
  • The IT Services Service Desk can send a rescue code to your registered alternate email address, or by University messenger to your primary college or departmental address.


  • Minimum of 16 character passwords for all University accounts.
  • Pick four random words and use them as your password, e.g. CorrectHorseBatteryStaple. But please do not use this example!
  • Use a password manager like LastPass or KeePass to generate and store long, random, complex passwords.
  • If you must write down any password, keep it somewhere secure which only you can access.  


  • Do not use one long word, even an obscure one. Use multiple, unrelated words.
  • Do not re-use passwords. Ever.
  • Do not use something you have already used as an answer to a security question on any system.
  • Do not use passwords based on personal information that another person might be able to guess or discover online. Examples include: your college or department, names of family, friends or pets, birthdays, car registrations, holiday destinations, and many more

A Remote Access account is used to access:

  • the eduroam WiFi service.
  • the VPN (Virtual Private Network) service.

To use Remote Access, you use your Oxford username and your Remote Access password.  A Remote Access account can be created or the password changed through the Self-Registration pages, with any status queries clarified on the card entitlements page.

Further details can be found on the Remote Access Account page.


The rules the Remote Access password must follow are that it:

  • must include at least one character from three of the following:
    • Lowercase letters (a-z)
    • Uppercase letters (A-Z)
    • Digits (0-9)
    • Punctuation characters (such as &'^!."[,]-+)
  • must contain between 10 and 24 characters.
  • must contain at least five different characters.
  • must not contain backslashes, backticks, spaces, single quotes or double quotes.
  • must not be a dictionary word or a name.
  • must not be a subset or superset of your current password.
  • must not be based on your SSO username.
  • must not be the same as your SSO password.


Your Remote Access password's expiry date is set to your University card's current expiry date whenever the password is changed.

  • Your Remote Access password can be created or updated through your Self-Registration pages.
  • The new password will become active within 15 minutes.

An OpenScape account is used to access:


The rules the OpenScape password must follow are that it:

  • must contain at least one character from each of the following:
    • Lowercase letters (a-z)
    • Uppercase letters (A-Z)
    • Digits (0-9)
    • Punctuation characters (such as &'^!."[,]-+)
  • must contain between 8 and 32 characters.
  • must not contain spaces, single quotes or double quotes.
  • must not contain any character more than three times in succession.
  • must not be the same as your SSO password.


Your OpenScape password can be changed or reset your through your Self-Registration pages.

    A Chorus voicemail password is used for:

    • the Chorus telephone system's voicemail service.


    The rules the Chorus voicemail password must follow are that it:

    • must only include following characters:
      • Digits (0-9)
    • must contain 6 digits.
    • must not contain more than three of the same digit.
    • must not be in a sequence.


    Your Chorus voicemail password can be changed or reset your through your Self-Registration pages.

    An HFS backup password is used for:

    • the HFS backup client.


    The rules the HFS backup password must follow are that it:

    • must contain at least two characters from either of the following
      • Lowercase letters (a-z)
      • Uppercase letters (A-Z)
    • must contain at least one character from either of the following:
      • Digits (0-9)
      • Plus, period, underscore, hypen or ampersand characters (+._-&)
    • must contain between 10 and 63 characters.


    HFS backup client passwords expire 190 days after being set.

    • Your HFS backup password can be changed through the HFS Portal.

    A CONNECT account is used to access:


    The rules the CONNECT account password must follow are that it:

    • must include at least one character from three of the following:
      • Lowercase letters (a-z)
      • Uppercase letters (A-Z)
      • Digits (0-9)
      • Punctuation characters (such as &'^!."[,]-+)
    • must contain at least 8 characters.
    • must not have been used as one of your previous 24 passwords.


    Your CONNECT password will need to be changed every 12 months.

    For advice on accessing computers or facilities on your college or departmental computer network, please contact your local IT support teams.

    Please see the login to a service page, which details what password you need for a number of services and accounts.  If IT Services do not directly support the service there will be a link to the team that does.

    There is information available on passwords used at the Bodleian Libraries.

    Get support

    Local IT support provide your first line of on-the-spot help



    Common requests and fault reports can be logged using self-service

       USE IT SELF-SERVICE      

       LOG A SUPPORT CALL     



    The central Service Desk is available 24x7 on +44 1865 6 12345


    If you do not have an SSO account you can use this form to contact the Service Desk