This policy applies to all passwords for any Concordia University business-related resources.
Password Creation
- Users may not use the same password for Concordia University associated accounts as for other non-Concordia University access (for example personal email, banking, Netflix accounts and so on).
- User accounts with administrative or sudo privileges must have unique passwords from all other accounts held by that user.
Password Standards
All passwords will meet or exceed the following guidelines:
- Contain a minimum of 10 alphanumeric characters.
- Contain both upper and lower case letters.
- Contain at least one number (for example, 0-9).
- Contain at least one special character (Allowed character include: ~!@$%^&*_-+=`|\(){}[]:;"'<>,.?/)
All passwords will NOT contain the following criteria:
- May not contain your first or last name.
- May not contain your username.
It is highly suggested that your passwords meet the following guidelines:
- Contain multiple words, this is also referred to as a passphrase.
Please review Concordia University’s Password Creation and Management Basics to assist you in building and maintaining strong passwords.
Password Change
- Passwords must be changed at a minimum of every 90 days.
- Users will not use the last 24 previously used passwords.
- Password cracking or guessing may be performed on a periodic or random basis by members of the ITS (Information Technology Services) department. If a password is guessed or cracked during one of these scans the user will be required to change their password in accordance with this policy.
Password Protection
You are solely responsible for the security of your university credentials.
- You must never share any university credential (name/password) with other people.
- Passwords must not be inserted into email messages or any other forms of electronic communication.
- Under no circumstances are users to write down or store passwords in plain text. If you must store your passwords somewhere, use an encrypted password storage locker.
- Do not use the “Remember Password” feature of applications (for example, web browsers)for any sites that may contain PII or financial information and on any public/shared machines.
- You will not be asked by any Concordia University employees for your password; this applies to both verbal and electronic communications.
- Any user suspecting that their password may have been compromised must immediately report the incident to the Technology Service Center. All passwords must be changed upon discovery of possible compromise.
Policy Compliance
- The ITS department will verify compliance with this policy through various methods, including but not limited to, internal and external audits, periodic walk-thrus, business tool reports and feedback to the policy owner.
- Any exceptions to this policy must be approved by the Chief Security Officer.
- Non-Compliance; in the event that this policy has been violated disciplinary action may be required.
- All disciplinary action will be performed in accordance with the standards set forth in the handbook applicable to the offender (student, faculty or staff). ITS does reserve the right to cancel, revoke or disable network accounts or access to network resources without prior notification when there is suspicion of a violation of network policy/applicable laws, possible compromise of network resources or pending a formal disciplinary procedure.
Multifactor Authentication
- Some secured Concordia University resources require Multi-Factor Authentication.
- All employees are required to have MFA enabled on applicable accounts.
- All students for whom MFA has been enabled are required to use MFA where applicable.
- There are presently no exemptions to MFA for users for whom it has been enabled.
Effective 11/01/2009
Policy Reviewed by B.Metzler 4/29/2019