Skip to main content

Setting up and changing your password

Setting up your password

When you register you will need to set a strong password containing at least 10 characters. The password should also include a mixture of uppercase and lowercase letters, numbers, and non-alphanumeric characters [ ] ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , / .
 
Your password must also pass a check against a public list of known compromised passwords. During sign-up and password changes we check whether the password entered has been found in the haveibeenpwned.com public database of compromised passwords. If a password is found to have been previously compromised you will be asked to change it.
 
More information about password checking

How it works

The password checking process never transfers passwords in plain text. We take a 5 character prefix of a user's hashed password then use the k-anonymity model to get a list of suffixes from the haveibeenpwned.com service. We compare the suffix of the user's hashed password with the equivalent suffixes of compromised passwords. If there is a match the password entered has been compromised and should not be used. We will alert users to this fact and ask them to enter a new password. All communications with the service are sent over TSL and we never send your password to any other user or service.

Why we do this

Password reuse is commonplace because it is easy, but it is extremely risky. Hackers use a technique called credential stuffing to enter known username/password combinations in other systems. The haveibeenpwned.com database contains over 500 million passwords used by these breached accounts. Using any of these puts your account at a much higher risk.

Guidance from the National Cybercrime Security Centre also promotes the blacklisting of the most common password choices.

You can also use haveibeenpwned.com to see if your email account has been compromised in a public data breach.

Recording device ID

We record the device ID, IP address, operating system, and browser of users when they login and store this against a user's account. We will then alert you via email if a new device is used. You can view a list of your devices in ‘My Account’ and ‘Devices’. Any unusual activity can be reported to your administrator or [email protected]

Resetting your password

If you have forgotten your password for IDS, click the ‘Forgot your password?' link on the login screen.

On the forgot password page, you will be instructed to type in your email address and click ‘continue’. If a matching account was found, then an email will be sent to your email address. Click the unique link in the email to input a new password. 

Changing your password

You can change your password at any time via the ‘My Account’ tab. Go to ‘My Account details’ to change your password. Your new password must meet the criteria described above.