OpenAthens new password policy FAQ

What is happening with the new OpenAthens password policy?

The OpenAthens password policy will be changed to enforce increased complexity requirements before the end of 2022. This will apply to:

  • OpenAthens personal accounts
  • OpenAthens access accounts
  • OpenAthens administrator accounts

This will not apply to users logging in with accounts mapped into the OpenAthens service from your local identity provider.

What will change?

  • New minimum password length of 10 characters for users and administrators
  • The password must meet a minimum complexity score assessed by an industry-standard password strength checker

To implement these changes we have consulted the best practice password policy as defined by the UK National Cyber Security Council, as well as other industry guidance.

When are the changes coming?

There will be three overlapping release phases:

Phase one: starts on 15 August 2022

The new password policy will be released. This means all OpenAthens personal, access and administrator accounts created, renewed or reactivated after this release will have to comply with the new password policy.

Phase two: starts on 1st September 2022

OpenAthens accounts with administrator roles will start seeing prompts to change their password if it doesn’t meet the new password policy. However, they will be able to defer that action by using a Skip option until the 13th of November.

Screenshot from OpenAthens product. Title is Password change. Content is We are improving our password security and yours will need to be updated by 30th September 2022.
There are two buttons displayed, change now and skip

From the 14th of November, all OpenAthens administrator accounts with non-compliant passwords will be unable to proceed to a publisher’s site or resource until they update their password. They will be automatically redirected to the change password page.

Phase three: starts on 14th November

All OpenAthens personal accounts will start seeing prompts to change their password, where it doesn’t meet the new password policy. However, they will be able to defer that action by using a Skip option until the 13th of December.

From the 14th of December, all OpenAthens personal accounts with non-compliant passwords will be unable to proceed to a publisher’s site or resource until they update their password. They will automatically be directed to the change password page.

Will we be asked to reset OpenAthens passwords regularly?

Enforcing regular password resets is not part of this project, although we’re not ruling out introducing such a policy in the future.

Will OpenAthens contact personal account users to alert them of the need to change their passwords?

We have written to all OpenAthens administrators at organizations affected by these changes, rather than users. That is because we do not expect the impact of the change in password policy to be significant. Of the 890,000 existing accounts in the service, we estimate around 1% have passwords which will be too short and/or too weak to meet the new policy.

From the beginning of Phase 3, users of OpenAthens accounts whose password does not meet the new requirements will start seeing prompts to change it when using the service. They will be able to skip the reset prompt for one month, but at the end of Phase 3 they will be forced to update the password before they can continue.

Remember you can subscribe to our monthly product and service updates if you want to know about any new or upcoming enhancements to the service.

How can I tell if a password will meet the new policy?

When the new policy is released on 15 August, a password strength checker will be added to the password field on the account details page. This tool will let you test the strength of a password.

dddeee is a weak password
house pin is a weak password
house pin truck is a good password

With such a small number of affected accounts, why are you emailing all customers?

Users of accounts with passwords that do not comply with the new requirements will have to change their password after the end of Phase 3. We want to provide our customers with this information in advance in case you start receiving enquiries from users when the prompts start appearing.

In addition, we know some customers create OpenAthens documentation for local use, and many more create OpenAthens accounts manually. It is important to us to ensure all customers know about this change.

Your communications have implied the new password policy only affects new accounts and not those which already exist. Is that the case?

We’re sorry if our communications were somewhat ambiguous. The release of the new password policy on 15 August will be applied to:

  • All new administrator, personal, and access accounts
  • Existing accounts which are having their passwords reset, e.g., because it’s been forgotten.

Existing personal accounts whose passwords do not meet the new password policy will start seeing prompts to update their password from the beginning of Phase 3.

Can't find the answer you're looking for?

Get in touch and we’d be happy to help!

We will use the contact details you provide to us to send you information about our products and services.

You can opt out of our emails at any time by using the link in the emails and you can view our privacy policy.

All required fields are marked with '*'

  • How did you hear about OpenAthens?
  • This field is for validation purposes and should be left unchanged.