How to pick a good password

Teach First Password Policy

Minimum length: 14 characters
Password complexity (uppercase, lowercase, numbers, special characters) is no longer required.
Passwords no longer expire.

Creating Strong Passwords (Passphrases)

A strong password doesn't have to be complicated, it should be long and easy to remember. Using a passphrase is the simplest and most secure approach. A passphrase is a sequence of words or a short sentence that is memorable for you but difficult for others to guess.

However, avoid overly obvious or related words, try selecting random words that don’t directly relate to each other. Additionally, avoid using any example passphrases provided here.

Examples of Strong Passphrases:

"PurpleButterflySingsOpera"
"ReadingBooksUnderOakTrees"
"CoffeeMugCatNapSunshine"

Common Password Patterns to Avoid

Research shows that predictable password habits greatly weaken security:

77% of passwords containing a digit place it at the end, with "1" being the most common digit.
35% of passwords that require a capital letter capitalise the first letter.
89% of 7-character passwords using alphabetic strings either capitalise the first letter or the entire word.
Around 10% of users base their passwords directly on their usernames.

Avoiding these patterns significantly increases your account security.

Additional Recommendations for Secure Passwords

Aim for length over complexity: Longer passwords or passphrases increase security exponentially.
Don't use common substitutions like "@" for "a", "$" for "s", or "!" for "i", as attackers anticipate these substitutions.
Never use keyboard sequences or patterns like "qwerty" or "1q2w3e4r".
Create unique passphrases for different accounts to prevent breaches from affecting multiple accounts.
Use a password generator: Websites like mdigi.tools or 1Password Password Generator can help create robust and memorable passwords.

Strengthening Security with Multi-Factor Authentication (MFA)

Multi-Factor Authentication significantly enhances your account security by requiring additional verification beyond just your password. Passkeys are the most secure method of MFA because:

They eliminate the risk associated with password reuse and phishing.
Passkeys use cryptographic methods tied directly to your device, ensuring only you can authenticate access.

We strongly recommend setting up passkeys as your primary MFA method.

You can see how to set up a passkey here: https://support.teachfirst.org.uk/support/solutions/articles/1000061669

Why We've Updated the Password Policy

We've changed our policy because research shows that traditional password rules often inadvertently reduce security:

Password expiration leads users to choose predictable and easily guessable passwords.
Complexity rules often encourage simpler and predictable password creation.

By focusing on password length and removing complex requirements, we enable more secure and memorable passwords.