Strong passwords and two-factor authentication

An easy way to protect your online accounts is to create strong passwords and set up multi-factor authentication. Follow our advice to keep your accounts safe and secure. 

We recommend you change your password regularly. As a minimum, all staff have to change their password at least once a year. If you work with sensitive data, you might have to change it more frequently.

• Why do we have a password expiry policy for staff?

Top tips for account security

1. Set up two-factor authentication

Two-factor authentication (2FA) adds an extra layer of protection beyond your password. It typically involves verifying login attempts through a second device, like your phone. At York, we expect you to set up Duo and Google two factor authentication, in addition to choosing a strong password. Without 2FA, we may lock your account.

Duo protects several key University services. However, Duo isn't used to log into your University Google account – this is so that your Google access doesn't depend on campus infrastructure. This means you'll be able to access Google services, such as Gmail, even if campus services are completely down.

Find out more about Duo and Google 2FA, including set up instructions and what to do if you lose your phone.

• Duo two-factor authentication
• Google two-factor authentication

2. Use a password manager

Managing passwords can be a hassle but password managers make it easy and secure. They generate strong, complex passwords and remember them all for you. Avoid using your web browser's built-in password manager (like Chrome, Edge, or Firefox). These are vulnerable to security risks and shouldn't be used.

LastPass is our recommended password manager, available to all staff and students.

Explore LastPass (password manager)

Related tip: To create a strong master password for your password manager (or any time you need a memorable password), think of a phrase only you know. Using the first letter of each word, add at least one number and one uppercase letter. For example, "I have a black cat and he's five years old!" becomes Ihabcah5yo!

3. Meet the password minimum requirements

Strong passwords contain combinations of upper and lower case letters, numbers and symbols. Weak passwords are a security risk and are easy for malicious third parties to work out. 

Your password must contain:

• 9 to 72 characters
• a mix of upper and lower case letters 
• at least one number or punctuation symbol.

Your password must not:

• contain your username
• be your current password or a password you have used in the past
• be identical or similar to your other passwords
• be based on a dictionary word
• be based on easily discoverable information (such as the name of your pet)
• use common letter and number substitutions (eg swapping '3' for 'E'). Tools that are used to crack passwords check these variations automatically so they do not make the password stronger and the University's systems will reject passwords that are based on a dictionary word with just these changes.

LastPass (password manager) generates strong passwords for your accounts, so you don't have to. It's an easy way to meet our minimum requirements.

4. Keep your password private

Malicious third parties often target users with social engineering tactics, attempting to trick you into revealing your password. Remember these essential security tips:

• Never share your password with anyone, not even us. 
• Be cautious of unexpected requests. When someone asks for personal information, especially passwords, it could be a phishing attempt.
• Don't click on links in suspicious emails or messages. Scammers often use fake websites to trick you into entering your password.