Password Policy FAQs

Information Services at the University of Regina is pleased to announce the University Password Management Policy effective February 26, 2018.

pwdThe new policy applies more stringent security controls for passwords based on information sensitivity of IT systems accessed by University of Regina users.

This policy consolidates password management controls to encompass all University applications and is applicable to all faculty, staff, students, and affiliates.  It consists of 3 documents; the governing Password Policy (OPS-050-035) and two supporting technical standards:

  • Password Management Standard passwordstandard: Intended for application and information system users, the standard outlines Low, Medium, and High risk account categories, with corresponding minimum password standards.
  • Authentication Management Standard authenticationstandard: Directed at application owners and information system administrators, this standard outlines the authentication requirements for for configuring systems and applications to securely manage passwords.


       Why is the password policy being implemented?

At a high-level, this policy brings new requirements in terms of minimum password complexity, maximum password age, limits on how passwords can be transmitted and other important changes to improve security.

University of Regina uses passwords as the primary authentication method for users to access IT systems in the conduct of University activities. The goal is to reduce the probability of compromised accounts being used to access University IT systems. The policy and associated standards are designed to ensure passwords are managed appropriately, both from the end user and system administrator roles, in order to minimize risk to University information assets. Information security is a shared responsibility; strong passwords are a critical part of this responsibility.  External research, such as Verizon's Data Breach Report, have shown that more than 80% of hacking-related breaches used either stolen and/or weak passwords. 

       What is changing?

In summary, the following requirements are included in the revised password standards:
  • Passwords must be changed at least once per year, or more often if necessary. Generally speaking, passwords must be a minimum of 8 characters for students, 10 characters for faculty and staff and 16 characters for system administrators.
  • All passwords must be of a sufficient complexity, which includes special characters, alphanumeric characters, or upper case characters.
  • It is not permissible to share or give your password to another person, including anyone claiming to be an University of Regina Information Services staff member. University of Regina Information Services will never ask for your password.
  • There is now a written requirement prohibiting use of your University of Regina password on non-University services, sites, or accounts.
  • Applications and systems need to be configured to enforce the password policies, wherever possible.

       I have a University of Regina account. What is my responsibility?

All members of the University of Regina constituency (account holders) are responsible for:
  • Protecting the password associated with your individually assigned university account(s).
  • Reporting any suspected incidents of password compromise on an account assigned to you. Anyone who reasonably believes their password is known by anyone else must change it immediately.
  • Any activity occurring due to non-compliance with this Policy and the associated standards.

       How often do I have to change my password?

The policy and related standard requires that passwords are changed annually. Going forward, account holders at the University of Regina will need to change their passwords every 365 days. The (Novell) accounts owners will be notified via automated emails prior to the expiry of their passwords. The notification is sent at 60, 30, 21, 14, 7 and 1 day(s) before expiry to your email address.

Having everyone in an organization complete a password change on a regular basis is considered a baseline security practice which ensures a potentially compromised password has a shorter usable lifespan. In addition, it helps discourage password sharing.

       My password is over a year old. Will I be locked out?

No. If your account password is currently greater than a year, you will granted a 30 to 60 day grace period to change your password. Notifications of the required change will be sent to your email address. However, all future yearly password change windows will not have a grace period which extends password validity beyond 365 days.

       What happens when my password expires?

If your password expires (ages beyond 1 year and the grace period without a change), your account will be locked. In order to log into your account after it has expired, please contact the IT Support Centre.

       Are there limitations on what my password can contain?

Yes. Passwords need to contain at least 3 of the 4 character sets. This means that when a new password is created, it must contain at least 3 of the 4 following types of characters:
  • Lower case characters
  • Upper case characters
  • Digits
  • Special characters such as punctuation, symbols, and other characters found on an English language QWERTY keyboard
Additionally, it is required that passwords do not consist of only dictionary words, or repeated characters such (111, AAA) or logical sequences (1234, abcd, qwerty).

These rules are designed to protected your account, as it makes password guessing much more difficult.

       Is password uniqueness required?

Yes. Passwords must be unique in two ways.

First, the new standards require users to utilize passwords for University of Regina accounts which haven’t been used for non-University of Regina accounts. This means that your U of R password shouldn’t be the same as your personal LinkedIn, Dropbox, or Facebook (or any other external site or service) password, or vice versa. If an external site or service, such as LinkedIn or Dropbox becomes breached, your account passwords could be released publically. When this happens and your password has been reused on your U of R account, your University account is at risk of unauthorized access. Having unique passwords negates this risk.

Secondly, passwords previously used for your University of Regina accounts should not be reused frequently, or periodic password changes become less effective. This is referred to as password uniqueness history. Applications should prevent users from utilizing the same 10 previous passwords or any passwords used in the previous 3 years.

       What length must my password be?

That depends on the type of data your password protects. Student, alumni, and retiree accounts do not usually have access to sensitive data beyond the account holder’s own data. These accounts can be secured with an 8 character password. If your account permits access to sensitive data about others, as an employee account often would, 10 characters is the minimum password length. Lastly, an account with access to restricted data, a privileged account (system administrator), or service accounts should be secured with a 16 character password. As access to data sensitivity increases, so does the password length requirements.

       Help, I have too many passwords!

Certainly, a large number of passwords can be a difficult to remember. However, tools such as a password managers can help. The University of Regina recommends the use of KeePass Password Safe to securely store and organize your account credentials. Please see the Password Manager Resources page for details on how to adopt KeePass Password Safe into your daily activities. When using a password manager, be sure to use a master password which is as strong (or stronger) as any of the credentials stored within the tool.

Another mechanism to assist with remembering passwords is the use of passphrases. Passphrases are longer passwords which consisting of a string of words separated by punctuation, which can actually be more secure and easier to remember than a shorter but more obscure password. The password guidelines speaks about passphrases.

       I am a system administrator or system owner, am I impacted?

Yes. If you own or have responsibility for a system, application, or service at the University of Regina, you are impacted. Systems and applications are required to ensure that authentication mechanisms to your system are configured and tested to align with the Authentication Management Standard. This, at a high level, requires that applications/systems are configured to enforce password complexity, change frequency, expiry amongst other requirements. If your system can not be configured to meet these standards, please follow the exception process.

       When are the policy and standards effective?

The policy was approved in January 2018 and with implementation commencing in March 2018.

       How do I change my password?

As always, your password can be changed at Further guidance on password changes can be found at the Change Password webpage

       Are Banner Self-Service PINs Included?

Banner Self Service PINs are currently exempted from the password policies and standards. Banner PINs do not have the ability to meet the complexity standards. All other applications and systems on campus not utilizing Banner PINs are in scope, however.

       Where can I find further information?

The governing policy is Password Management Policy OPS-050-035 which can be found on the University of Regina Policy website.

The supporting standards are the detailed technical controls required by the policy. The standards are made available on the Information Security website, and are split into two seperate documents:
  • The Password Management Standard authenticationstandard is targeted to all end users of the University of Regina. This standard requires users to construct passwords with the strength appropriate for the data to which the password protects. 
  • The Authentication Management Standard authenticationstandard is designed to guide system administrators, application owners, and purchasers of computer applications. This document provides the requirements on secure password transmission, configuration to meet enforce minimum password complexity, and using centralized authentication mechanisms. 
Questions regarding this policy can be routed to the Information Technology Centre:
Phone: 306-585-4685
Toll-free in Canada: 1-844-585-4685
In person at ED137 or Archer Library.