Skip navigation

Procedure: Passwords


The University provides access to information infrastructure and services to authorised users within the University community. Passwords are the primary means of authenticating user access to ANU information services and systems. This procedure establishes the minimum standards for University system passwords and/or passphrases, and outlines their correct use.


Definitions of terms used in this document are provided in the overarching Information technology security policy.

Standard users: those users who do not have privileged or elevated access to University systems, as defined in the Information technology account management and access procedure.


  1. ANU is committed to ensuring appropriate security for all information technology, data, equipment, and processes within its domain of ownership and control.
  2. The University provides access for all:
  1. authorised users within the University community; and
  2. network connecting devices authorised for connection, and that have been allocated an IP address within the University's IP Address range.
  1. Suspected or known security incidents must be reported to the ITS Cyber and Digital Security Team by emailing and remediation is coordinated from that office.
  2. The use of the term password(s) in this document also includes passphrases(s).

University responsibilities

  1. The University is responsible for:
  1. providing and maintaining access to systems and resources for authorised users;
  2. suspending any part of an authorised user's access as a result of a security concern or policy breach, resulting from penalties or disciplinary action; and
  3. maintaining and amending minimum password standards as appropriate, to reflect current IT security protocols.

User responsibilities

  1. Users:
  1. observe and comply with all relevant policies and procedures;
  2. do not disclose their password to anyone else under any circumstances; and
  3. do not allow any other individual access to a service or resource authenticated with their credentials
  1. Passwords used for University systems are not reused for other systems or services.
  2. User passwords are changed in accordance with the published account management standards for the system/service that they are accessing.
  3. Passwords believed to have been compromised are changed immediately and the matter is reported by the user to the ITS Cyber and Digital Security Team by emailing, in accordance with the Information technology security policy. In this event staff members also notify their supervisor.
  4. If a user wishes to record and store passwords, the following measures are undertaken:
  1. records in hard copy are stored in a locked drawer, cabinet, room or area where access is controlled or has sufficient access control measures; and
  2. records in electronic format are stored on a system that requires user authentication.

System owner responsibilities

  1. System owners enforce the minimum password standards set out in this document when allowing user access to the systems under their ownership.
  2. System owners of systems containing sensitive or highly sensitive data:
  1. may heighten authentication requirements in line with the Enterprise systems management standard; and
  2. publish heightened authentication requirements to users of that system directly at the time the account is issued and at least annually thereafter.

Minimum password standards

  1. Standard user passwords meet the following requirements. Passwords:
  1. are a minimum of 10 characters;
  2. include at least one character from each of at least three of the following groups:
  • lowercase characters (a - z)
  • uppercase characters (A – Z)
  • digits (0 - 9)
  • punctuation and special characters ($, !, %, ^, (, ), {, }, [, ], ;, :, <, >, ?)
  • unicode characters; and
  1. do not consist of:
  • the account name in any form (as-is, reversed, capitalised, doubled, etc.);
  • the user’s first or last name in any form;
  • simple patterns of letters on keyboards; or
  • any well-known or publicly posted identifiable information.

Initial and reset password generation

  1. All initial and assisted reset passwords are generated randomly.
  2. Requests for user password resets require suitable proof of identity before being actioned. Suitable proof of identity for password resets include:
  1. photo ID;
  2. supervisor identification; or
  3. satisfactory challenge-responses.
  1. All password resets generate an auditable log indicating at a minimum the date, time, account name, and who conducted the reset.
  2. Password resets conform to the same controls as set out for initial password generation.
  3. User passwords are only recorded upon initial generation. Only one copy is made and this is provided directly to the owner of the password.
  4. User passwords are not disclosed to anyone other than the password owner under any circumstances.
  5. Group passwords are discouraged. Where no alternative exists, group passwords can:
  1. only be disclosed to individuals who have been authorised to access a particular electronic resource or service as part of that group.
  2. be changed whenever a member of the group leaves the group or at least as often as a user password.

Identity self service portal

  1. Some systems utilise the Identity Self Service Portal (ISSP) to generate and manage passwords. The following apply to passwords generated and managed in this manner.
  2. The initial password is valid for 14 days, after which it will expire.
  3. When issued with an initial password, users change the issued password immediately by:
  1. logging into the Identity Self Service portal;
  2. reading the required ANU policies; and
  3. setting up security questions and answers.
  1. All passwords created using the ISSP have a minimum lifespan of 24 hours. A user can not change their password again during this period, except via an assisted password reset.
  2. All passwords created using the ISSP have an expiry period of 180 days.
  3. Users receive an automatic email notification after a password reset has occurred.
  4. Users cannot use any of the previous five passwords when setting a new password.
  5. An assisted password reset provides the user with a temporary password to be used only once to log in to the ISSP. This password is valid for 24 hours only, after which the password will expire.
  6. After a password has expired, users are still able to log into the Identity Self Service portal to reset their passwords.


Printable version (PDF)
Title Passwords
Document Type Procedure
Document Number ANUP_013008
Version 6
Purpose Passwords are the primary means of authenticating user access to ANU information services and systems. This procedure establishes the minimum standards for University system passwords and/or passphrases.
Audience Staff, Students, Alumni, Affiliates
Category Administrative
Topic/ SubTopic Information Technology - Security
Effective Date 2 Apr 2019
Next Review Date 5 Apr 2024
Responsible Officer: Director, Information Technology Services
Approved By: Chief Operating Officer
Contact Area Information Technology Services
Authority: Information Infrastructure and Services Rule 2020
AS ISO/IEC 27002:2015
Australian National University Act 1991
Australian Government Protective Security Policy Framework
Public Governance, Performance and Accountability Act 2013
Public Governance, Performance and Accountability Rule 2014
Australian Government Department of Finance and Deregulation Finance Circular No. 2009/08
Crimes Act 1914 (Cth)
Privacy Act 1988
Telecommunications Act 1997
Telecommunications Regulations 2021
Delegations 0