Guidelines to Password and Passphrase Selection (Feb-12-2016)
Passwords should be hard to guess. This means that passwords or components of passwords should meet the following criteria:
Don't use your login name in any form (as-is, reversed, capitalized, doubled, etc.)
Don't use names of persons, pets, places or things significant to you in any form.
Don't use numbers significant to you or someone close to you: phone numbers, birth dates, license numbers, etc.
Don't use any name, number, place or other item associated with the University.
Passwords should be immune as possible to attack by password cracking programs. This means that passwords or components of passwords should meet the following criteria:
Don't use a word contained in English or foreign language dictionaries, place names, and proper nouns.
Don't use passwords of all the same letter.
Don't use passwords based on simple keyboard patterns, such as ghjkl;' or qwerty.
Don't use any of the above reversed or followed/prepended by a single digit.
To construct a better password we recommend the following guidelines. Remember that the password should be easy to remember.
Use a password with unusual capitalization.
Use a password with nonalphabetic characters, e.g. numbers or punctuation, if your system allows them.
Choose a line from a book, poem or song or generate a sentence you will remember. Use the first letter of each word to generate the password. For example, "In Xanadu did Kubla Khan a stately pleasure dome decree" could become "IXdKKaspdd".
Concatenate words or parts of words. For example:
dog + rain becomes "dog:rain" or better "doG:raiN",
the + dog becomes "the1dog" or better "the1Dog=",
my + ninety + books becomes "my9tybooks" or better "mY9tyBooks".
Embed or interleave two or more words. This technique is not for everyone. Embedding and interleaving comes easily to some people but the combinations are impossible to remember easily for others. For example:
kitten + dog becomes "kitdogten" or better "kiTdogTen",
cat + dog becomes "cdaotg" or better "cd8ao;tg".
Alternate between consonants and vowels to construct nonsense words that are usually pronounceable, and thus easily remembered. For example:
rout + bo becomes "routbo" or better "rout;;BO",
quod + pop becomes "quodpop" or better "qUOd84pop".
- Use three or more uncommon words, for example “human golf equality bingo”.
- The phrase should not be common, for example a well-known saying or from a film or book, for example "go hawks go".
- Use spaces or special characters between words to further enhance the security. For example, “Human&golf=equality bingo!”.
- Secure passphrases should consist of at least three of the following elements however, users should be free to choose from any of these categories:
Special characters including space
System Specific Constraints
For unix systems at Laurier:
All unix systems (e.g. mach1, info, omnis, mserver) allow the use of alphabetic, numeric and special characters (e.g. - _ * $) in the password. Do not use the @ character or the # character as these have special meaning for unix.
At least 2 characters must be alphabetic and at least one character must be a digit or special character.
Minimum password length is 6 characters, only first 8 characters of a password are used.
The password cannot equal the login name or be a circular shift of the login name.
On a password change, the new password must differ from the old one by at least 3 characters.
For the Oracle password (also referred to as Banner, Student Information System, Finance, wlumenu):
Only alphabetic and numeric characters are allowed.
Minimum password length is 6 and at least 1 character must be numeric.
For the Network/Email password:
The Active Directory domain allows the use of alphabetic, numeric and special characters in the password.
- Minimum password length is 8 characters.
- The password must be different from your previous password.
- It must not contain your username, or first/last name.
- It must contain characters from three of the following: Uppercase, lowercase, digit, nonalphanumeric.
Once selected, your password should not be recorded anywhere either on paper or in a computer file.
Do not share your password with anyone. Anyone who needs access to the system will be given their own account.
Change your password regularly. Users on omnis are required to change their passwords every 90 days.
If you believe that your password has been compromised and that
your account, on any system, is being used by some other individual,
please contact the ICT Service Desk at ext 4357.
These guidelines are intended for your protection by making both your account and the University computer systems more secure.
Ready to update your network login with your new password or passphrase? You can do so by logging on https://iam.wlu.ca, follow the instruction on the screen to enroll for self-service, and change credentials there.