Concordia Password Security Policy – Department of Information and Technology Services

This policy applies to all passwords for any Concordia University business-related resources.

Password Creation

Users may not use the same password for Concordia University associated accounts as for other non-Concordia University access (for example personal email, banking, Netflix accounts and so on).
User accounts with administrative or sudo privileges must have unique passwords from all other accounts held by that user.

All passwords will meet or exceed the following guidelines:

Contain a minimum of 10 alphanumeric characters.
Contain both upper and lower case letters.
Contain at least one number (for example, 0-9).
Contain at least one special character (Allowed character include: ~!@$%^&*_-+=`|\(){}[]:;"'<>,.?/)

All passwords will NOT contain the following criteria:

It is highly suggested that your passwords meet the following guidelines:

Please review Concordia University’s Password Creation and Management Basics to assist you in building and maintaining strong passwords.

Passwords must be changed at a minimum of every 90 days.
Users will not use the last 24 previously used passwords.
Password cracking or guessing may be performed on a periodic or random basis by members of the ITS (Information Technology Services) department. If a password is guessed or cracked during one of these scans the user will be required to change their password in accordance with this policy.

You are solely responsible for the security of your university credentials.

You must never share any university credential (name/password) with other people.
Passwords must not be inserted into email messages or any other forms of electronic communication.
Under no circumstances are users to write down or store passwords in plain text. If you must store your passwords somewhere, use an encrypted password storage locker.
Do not use the “Remember Password” feature of applications (for example, web browsers)for any sites that may contain PII or financial information and on any public/shared machines.
You will not be asked by any Concordia University employees for your password; this applies to both verbal and electronic communications.
Any user suspecting that their password may have been compromised must immediately report the incident to the Technology Service Center. All passwords must be changed upon discovery of possible compromise.

The ITS department will verify compliance with this policy through various methods, including but not limited to, internal and external audits, periodic walk-thrus, business tool reports and feedback to the policy owner.
Any exceptions to this policy must be approved by the Director of Information Technology Services.
Non-Compliance; in the event that this policy has been violated disciplinary action may be required.
- All disciplinary action will be performed in accordance with the standards set forth in the handbook applicable to the offender (student, faculty or staff). ITS does reserve the right to cancel, revoke or disable network accounts or access to network resources without prior notification when there is suspicion of a violation of network policy/applicable laws, possible compromise of network resources or pending a formal disciplinary procedure.

Effective 11/01/2009

Policy Reviewed by {Pending Administrative Approval}

Updated by J. Flowers (02/22/2019)