Passwords are a common means of authenticating the identity of a user before authorizing access to a resource or service. Passwords provide an essential layer of defense in securing McMaster University assets from unauthorized use or access.
The Security aspect of a password starts with the physical creation of that password. As such it is up to you, as the owner to ensure that the passwords you create are strong enough both in terms of length and complexity.
Conventional wisdom says that a complex password is more secure. But, password length is a much more important factor because a longer password is harder to decrypt if stolen.
At McMaster University, users are encouraged to exercise appropriate care when creating and securing their passwords as failing to do so may lead to unauthorized access to personally identifiable information, disclosure of intellectual property, unauthorized disclosure of University information, reputational damage and/or monetary loss.
Here are a set of guidelines to properly create and maintain passwords for McMaster University identifiers (MacID):
Secure Password Requirements
Passwords must be a minimum of ten (10) characters in length.
Passwords must include character(s) from at least three of these four character sets:
- Uppercase letters A, B, C, …, Z
- Lowercase letters a, b, c, …, z
- Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
- Symbols ~ ! @ # $ % ^ & * ( ) _ + ` – = { } | ] [ \ : ” ; < > ? , . /
A good password must not contain your name or any recognizable parts of your full name and must be unique and easily memorable by you but hard to guess by someone else. Dictionary words should also be avoided and ideally, a word that is unique and meaningful only to you is the best way to go.
A Password should be reset or changed:
- at least once every 365 days;
- immediately after the user has been given access to a new account, or when the password has been reset by a third party;
- when there is any indication of a possible system or password compromise; in addition such incidents must be reported to the appropriate authority.
Finally, passwords should never be written down or stored in a format that is human-readable. If possible, credential owners must encrypt passwords if they need to store the information, and this should only be done for backup, disaster recovery, and business continuity purposes.
Beyond Password Security: Multi-Factor Authentication (MFA)
Multi-Factor Authentication (MFA), also known as two-factor authentication (2FA) or two-step verification, is a way of adding an extra layer of protection to help prevent hackers from accessing your account in case it has become compromised (leaked, stolen, hacked into).
Once activated, MFA requires that users demonstrate at least two of the following in order to log in to online resources (does not apply to campus-hosted websites):
- “something you know” (like a password)
- “something you have” (like a phone)
- “something you are” (like a fingerprint)
McMaster University provides the ability to enable MFA for MacID users. Click here for more information
Keep in mind that opting-in for MFA still requires users to maintain and protect their MacID password, as this will become one of the required factors in the MFA option.
