Skip to main content

Setting up and changing your password

Setting up your password

When you register you will need to set a strong password containg a mixture of uppercase and lowercase letters, numbers, and non-alphanumeric characters [ ] ` ~ ! @ # $ % ^ & * ( ) _ + - = { } | \ : " ; ' < > ? , / .

Your password must also pass a check against a public list of known compromised passwords. During sign-up and password changes we check whether the password entered has been found in the haveibeenpwned.com public database of compromised passwords. If a password is found to have been previously compromised you will be asked to change it.

More information about password checking

How it works

The password checking process never transfers passwords in plain text. We take a 5 character prefix of a user's hashed password then use the k-anonymity model to get a list of suffixes from the haveibeenpwned.com service. We compare the suffix of the user's hashed password with the equivalent suffixes of compromised passwords. If there is a match the password entered has been compromised and should not be used. We will alert users to this fact and ask them to enter a new password. All communications with the service are sent over TSL and we never send your password to any other user or service.

Why we do this

Password reuse is commonplace because it is easy, but it is extremely risky. Hackers use a technique called credential stuffing to enter known username/password combinations in other systems. The haveibeenpwned.com database contains over 500 million passwords used by these breached accounts. Using any of these puts your account at a much higher risk.

Guidance from the National Cybercrime Security Centre also promotes the blacklisting of the most common password choices.

You can also use haveibeenpwned.com to see if your email account has been compromised in a public data breach.

Recording device ID

We record the device ID, IP address, operating system, and browser of users when they login and store this against a user's account. We will then alert you if a new device is used. You can view a list of your devices on the Devices tab on the account details page. Any unusual activity can be reported to your administrator or [email protected]

Resetting your password

If you have forgotten your password for IDS, click the 'I have forgotten my password' link on the login screen.

You will be asked to enter your email address and an email will be sent to you with a link to a password reset page.

Changing your password

You can change your password at any time via the Account settings. Your new password must meet the criteria described above.