Skip to main content
Ministry of Education New Zealand
On this page

What a password policy is

A password policy is a guideline that can help you create, look after, and use your password. Setting and enforcing secure passwords on your school’s accounts are your first line of defence.

Protect your information using passwords

Why a password policy is important

It’s easy for cyber criminals to get access to information that they can steal, sell, or destroy through passwords. Your school network can become vulnerable if users' passwords:

  • are reused across personal and school logins
  • are too short
  • include common words
  • include personal information.

Our recommendation – what your policy should include

Your password policy should recommend that all staff:

  • change the default password given when they log in for the first time
  • use different passwords for each account they have – at home and at school
  • do not share passwords with anyone else
  • use a password with a minimum of 10 characters for standard accounts and 16 characters for admin accounts, ideally using a phrase or multiple words
  • have 2-factor authentication (2FA) enforced wherever possible
  • do not use personal information in a password, like important dates or school names
  • use a password manager.

The password policy should also include:

  • words that will not be accepted for use in a password
  • when their password should be changed
  • who to contact if staff forget their password or think their password has been stolen.

How to create strong passwords and keep them secure

How to set up a password policy

A password policy can be included as part of your school's acceptable use guidelines or as a separate document.

Implementing the password policy

Accounts to prioritise implementing or enforcing the policy for are:

  • administrator accounts – including anyone who can add or remove software, create new users or access financial systems
  • your student management system
  • Google or Microsoft logins, as they provide access to many other accounts
  • email accounts – most software and apps use email to reset passwords, so protecting your email protects all your other passwords.

You should apply your password policy to the settings of your applications and systems. Your information technology (IT) provider or IT lead can help with this.

Implementing your school’s password policy

Related
THIS PAGE IS FOR
  • Education professionals