Another day another orginisation linked to Scottish education proves it does not know what it is doing. SEEMIS, you are even more guilty. Across the land new passwords will be written on postit notes just like half of my SEEMIS one is. Here is the official advice on passwords. Don't enforce regular password expiry Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts. Forcing password expiry carries no real benefits because: the user is likely to choose new passwords that are only minor variations of the old stolen passwords are generally exploited immediately resetting the password gives you no information about whether a compromise has occurred an attacker with access to the account will probably also receive the request to reset the password if compromised via insecure storage, the attacker will be able to find the new password in the same place from https://www.ncsc.gov.uk/collection/...tect all passwords,further damage can be done. PS during my last SEEMIS password reset I got my user name wrong and had access to a biologists SEEMIS for a couple of days. Maybe I still have access to it, but now I cant remember that user name, or the password I set for it.