​Notice to Schools 83/2017 − 9 August 2017

Strengthening VASS passwords

Principals/Directors, VASS Administrators and VCE, VCAL and VET Coordinators

Main Points

The VCAA are making changes to the Victorian Assessment Software System (VASS) security procedures to align with the Department's ICT Security Policy.

The password rules will come into effect with a rolling password expiration of existing passwords commencing mid-January 2018. Passwords will not expire during critical VASS data collection periods.

In preparation, the VCAA are encouraging schools to start making the changes to their VASS user passwords as soon as possible to enable a smooth transition.

VASS Administrators who create new school-based user accounts or issue new passwords to current accounts in VASS are requested to strengthen the initial or temporary password allocated to the account and ensure the initial/temporary password is changed at the first login to VASS. This is to familiarise users with the security changes being implemented by the VCAA.

Action Required

Principals/Directors should:

  • ensure that coordinators and VASS administrators are aware of the VASS password scheduled changes and create a plan to transition staff with VASS access to the new VASS password requirements by the due date.

Critical Dates

Mid-January 2018 – rolling password expiration of existing passwords commences

Additional information

DET password policy principles

Staff and other authorised users must take reasonable steps to protect the secrecy of their passwords. To do this, users must:

  • not share their userID and password with a third party
  • not write down their password and leave in a place where it could be easily found
  • take care when typing their passwords if they are being observed
  • change their password if they suspect that someone else knows it.

DET password policy rules

The Department’s ICT systems and applications that authenticate users via a userID and password must comply with the following:


  • Users must change their initial password at first logon.
  • Minimum password length of seven characters and maximum password length of 32 characters. Please note that currently the maximum password length is 10 characters only and will remain at 10 characters until the release in mid-January 2018.
  • Password must be complex.


The password must have a complex structure and contain at least one character from at least three of the four sets below:

  • lowercase characters (a-z)
  • upper case characters (A-Z) ( please note that this will make passwords case-sensitive)
  • numeric characters (0-9)
  • special characters and punctuation (e.g.!@#$ %^&).

Passwords will expire after 126 days from the anniversary of the account creation. Make sure you take note of the steps below:

  • On the next login, a prompt to change the password will appear.
  • If the password is not changed when prompted, the account will be locked.
  • A temporary or initial password will expire if not used and then changed within 10 days of issue.
  • A new password must be kept for one day before changing it.
  • An old password can be re-used after eight new passwords

For instructions refer to Changing your VASS password (docx - 148.09kb).

For VASS queries, contact VASS Operations: (03) 9032 1758 or 1800 623 681, fax (03) 9032 1591 or  vass.support@edumail.vic.gov.au.