Managing ESR Passwords
To further help our ESR users manage their ESR Password more easily, but retain the recommended levels of security, we are making some further changes to the rules.
Why are we changing the rules?
We have listened to employee feedback about the challenges of Password management in ESR and understand that this is an area that can cause frustration for users. As the national workforce management system for the NHS it is vitally important that we safeguard the security of your data whilst balancing the need to make logging into ESR as easy as possible.
Our Password rules have always aligned with guidelines set out by the National Cyber Security Centre - https://www.ncsc.gov.uk/ but understand that further changes need to be made to help NHS employees when they need to reset their Password.
What are we doing?
We have simplified our policy whilst ensuring that we retain the recommended rules.
Since April 2021:
There has been no expiry period enforced by default for Passwords on new ESR accounts. We strongly encourage NHS Organisations to consider the use of expiry periods on employee user accounts if you are still using them.
From August 2021:
We will remove the repeat/sequential character rule. This will leave 3 rules for Password requirements (as listed on the password reset page):
- Minimum password length of 12 characters.
- The password cannot be the same as any of the previous 4 passwords.
- Commonly used passwords, such as “password1”, are not allowed.
To help NHS employees and Organisations we are currently developing a new Password Help section on the ESR Hub. This will have simple guidance that will help employees better manage their ESR Password and provide guidance for NHS Organisations about how they can help remove the pain points of ESR Passwords for their Employee Self Service users.
The new Password Help section of the ESR Hub will be available from 13:00 on Friday 30th July 2021.