Subject: Password Policy
Group: Institutional
Approved by: Vice-President (Administration)
Approval date: April 14, 2000
Effective date: April 14, 2000
Administered by: Director of Computing Services

An employee who has access to the University's financial system must change the password that gives him or her that access at least once each 90 calendar days.

The password used for the University's financial system cannot be used on any other University account or system or with any INTERNET service provider.

The password must not be recorded on paper or on-line and must not be shared with anyone.

The following rules must be observed when this password is chosen:

  • It must be at least 6 characters in length.
  • It must include at least one character from three of the following four classes: lowercase letters; uppercase letters; digits; and punctuation marks.
  • It must be significantly different from previous passwords.
  • It must not include any of the employee's names, the names of members of his or her family or information
  • It must not be easily obtainable about the employee such as his or her birthday, license number, or social insurance number.
  • It must not be a combination of characters that someone watching could easily recognize.
  • It must not be a word in any language, including any name or proper name.
  • It must not be a word spelled backwards.
  • It must not be a word modified slightly with a single number inserted or with a zero used in place of the letter 'O'.