Password Guidelines

Passwords are critical to information security. It is usually the only evidence that you are who you say you are. Therefore, a good password should be easy to remember, but difficult to guess. The password should be difficult to guess for both, people that know you well, and for password crackers or malware.

Since most users have many passwords to remember, it is common to take dangerous shortcuts with our passwords. For example, writing passwords down, or using the same password for many websites can allow bad actors to compromise your information, or information of others which you have access to.

A number of helpful techniques, guidelines, and tools have been provided to help you make good password choices. 

Standards governing the usage of password-based authentication at the University of Regina include the Password Management Standard passwordstandard for end-users and the Authentication Management Standard authenticationstandard for application/system owners and administrators. 

Strong Passwords

The stronger a password is, the more difficult it will be for malicious software and hackers to be able to brute force, or crack. Typically, an application, website, or network administrator will require a minimum strength of password. However, you should make sure to have a strong password even if it is not enforced. 

A strong password has the following characteristics:

  • Is at least 8 characters in length. Longer passwords are more secure. You should not aim for the minimum required strength.
  • Is different from previously used passwords.
  • Contains a combination of characters from each category:

Character category

Examples

Uppercase letters

A, B, C

Lowercase letters

a, b, c

Numbers

0, 1, 2, 3, 4, 5, 6, 7, 8, 9

Symbols found on the keyboard

` ~ ! # % ^ & * ( ) _ - + = { } [ ] | : , . ? /

Note: Banner passwords must not include the following special characters: @ $ \ " ' < > ;

Banner will verify that these special characters are not present prior to accepting a new Banner password.

Passphrases

Often, even short but complex passwords are hard to remember. Therefore, you can consider a longer password consisting of a string of words separated by punctuation, which can actually be more secure and easier to remember than a shorter but more obscure password. If your passphrase is made up of all dictionary words, adding a variety of character classes is highly recommended to obscure the word.

Password Guidelines

Choosing a strong password can be difficult. The simple tips below are intended to assist you with choosing a good password.

  • Do not use a password containing a word found in a dictionary.
  • Do not use any part of your first, middle, or last name to form a password. Do not use maiden names, initials, or nicknames. 
  • Do not use information that can be obtained about you. This may include pet names, names of friends or relatives, phone numbers, name of the street you reside on, etc.
  • Do not use your user name in any form as part of your password.
  • Do not use keyboard sequences such as qwerty or logical sequences such as abc123.
  • Do not use a password entirely consisting of numbers or letters. It is preferential to mix letters, numbers, and special characters.
  • Do not share accounts with co-workers, friends, or family.
  • Do not reveal a password with anyone including University of Regina IT Support Centre.
  • Do not use default passwords. Always change your password after logging into a system for the first time.
  • Do not write passwords down. This includes in an email, sticky notes, or anywhere online. 
  • Do not use dates in any format for passwords. 
  • Do not use the same password for different applications, websites, or services. There is a more detailed ruleset in the governing standards (Password Management Standard passwordstandard and Authentication Management Standardauthenticationstandard) which provides the requirements depending on your account category.

Password Tools

Two Factor Authentication

Where ever available, you should enable two-factor authentication. This additional layer of protection means that you require more than just your password to access your account. In addition to your password, examples of a second authentication factor include a one-time use code sent via text to a mobile phone, a hardware token, or a biometric requirement such as a fingerprint.

Two-factor authentication requires both "something you know" (like a password) and "something you have" (like your phone, or finger print). Most online services have options to enable two-factor authentication:

For a more inclusive list of services offering two-factor authentication, visit twofactorauth.org. For every service you use that supports it, you should enable two-factor authentication. In combination with unique, strong passwords, it is one of the best ways to keep your data safe.

Password Generators

To generate unique, strong passwords, consider using a strong password generator. A password generator will permit you to specify the length and number of character classes to include in your password. For example, KeePass Password Safe, a free password manager, inlcudes password generation functionality. This tool will allow you to construct a password of suffiicent strength to meet the minimum password standards.

Password Managers

To help manage multiple passwords securely, passwords can also be stored securely in free and low-cost "password vault-type" encryption tools. Password managers are recommended as they help users to use unique passwords for every application, they allow use of very complex passwords, and they help avoid forgetting passwords or writing them down. Password managers usually store passwords in an encrypted database, which requires the user to create a very strong master password to access the password database.

The recommended password manager is KeePass Password Safe. Full details are available on the Password Manager webpage.