OpenAthens new password policy FAQ
What is happening with the new OpenAthens password policy?
The OpenAthens password policy will be changed to enforce increased complexity requirements before the end of 2022. This will apply to:
- OpenAthens personal accounts
- OpenAthens access accounts
- OpenAthens administrator accounts
This will not apply to users logging in with accounts mapped into the OpenAthens service from your local identity provider.
What will change?
- New minimum password length of 10 characters for users and administrators
- The password must meet a minimum complexity score assessed by an industry-standard password strength checker
To implement these changes we have consulted the best practice password policy as defined by the UK National Cyber Security Council, as well as other industry guidance.
When are the changes coming?
Although some details remain to be finalized, there will be three overlapping release phases:
Phase one: starts on 15 August 2022
The new password policy will be released. This means:
- All OpenAthens personal, access and administrator accounts created after this release will have to use the new password policy
- When these account types are amended in any way (renewed, reactivated or any other account changes) they will have to reset the password too using the new password policy
Phase two: start date TBC
OpenAthens accounts with administrator roles will start seeing prompts to change their password if it doesn’t meet the new password policy. They will only have to do this once. However, they will be able to defer that action by using a Skip option.
One month after the start of this phase, all OpenAthens administrator accounts with non-compliant passwords will be unable to proceed to a publisher’s site or resource until they update their password. They will be automatically redirected to the change password page.
Phase three: start date TBC
All OpenAthens personal accounts will start seeing prompts to change their password where it doesn’t meet the new password policy. They will only have to do this once. However, they will be able to defer that action by using a Skip option.
One month after the start of this phase, all OpenAthens personal accounts with non-compliant passwords will be unable to proceed to a publisher’s site or resource until they update their password. They will automatically be directed to the change password page.
Will we be asked to reset OpenAthens passwords regularly?
Enforcing regular password resets is not part of this project, although we’re not ruling out introducing such a policy in the future.
Will OpenAthens contact personal account users to alert them of the need to change their passwords?
We have written to all OpenAthens administrators at organizations affected by these changes, rather than users. That is because we do not expect the impact of the change in password policy to be significant. Of the 890,000 existing accounts in the service, we estimate around 1% have passwords which will be too short and/or too weak to meet the new policy.
From the beginning of Phase 3, users of OpenAthens accounts whose password does not meet the new requirements will start seeing prompts to change it when using the service. They will be able to skip the reset prompt for a while, but at the end of Phase 3 they will be forced to update the password before they can continue.
Remember you can subscribe to our monthly product and service updates if you want to know about any new or upcoming enhancements to the service.
How can I tell if an existing account password will meet the new policy?
When the new policy is released on 15 August, a password strength checker will be added to the password field on the account details page. This tool will let you test the strength of a password.
With such a small number of affected accounts, why are you emailing all customers?
Users of accounts with passwords that do not comply with the new requirements will not be able to log in after the end of Phase 3. OpenAthens administrators will be able to reset those passwords manually after the deadline, but we want to provide our customers with this information in advance in case you start receiving enquiries from users when the prompts start appearing.
In addition, we know some customers create OpenAthens documentation for local use, and many more create OpenAthens accounts manually. It is important to us to ensure all customers know about this change.
Your communications have implied the new password policy only affects new accounts and not those which already exist. Is that the case?
We’re sorry if our communications were somewhat ambiguous. The release of the new password policy on 15 August will be applied to:
- All new administrator, personal, and access accounts
- Existing accounts which are having their passwords reset, e.g., because it’s been forgotten.
Existing accounts whose passwords do not meet the new password policy and do not need a password reset will start seeing prompts to update their password from the beginning of Phase 3.
All required fields are marked with '*'