Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO



A common means of authenticating the identity of a user before authorizing access to a resource or service, passwords provide an essential layer of defense in securing McMaster University assets from unauthorized use or access. It’s the responsibility of the password creator to ensure its strength through adequate length and complexity.

Users must create and protect their passwords to prevent data breaches and losses. The following MacID password creation requirements and information will help maximize the security of your password and assets.

Expandable List

Passwords must be a minimum of eight (8) characters in length.

Passwords must include character(s) from at least three of these four-character sets:

  1. Uppercase letters A, B, C, …, Z
  2. Lowercase letters a, b, c, …, z
  3. Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  4. Symbols ~ ! @ # $ % ^ & * ( ) _ + ` – = { } | ] [ \ : ” ; < > ? , . /

A strong password should exclude your name or any part of it, be distinctive and memorable for you, yet challenging for others to guess. Avoid dictionary words; opt for something personally significant and unique.

  1. Once every year
  2. Immediately after the user has been given access to a new account, or when the password has been reset by a third party
  3. When there is any indication of a possible compromise. In such instances, incidents can be reported to the UTS Service Desk

Finally, passwords should never be written down or stored in a format that is human-readable. If possible, credential owners must encrypt passwords if they need to store the information, and this should only be done for backup, disaster recovery, and business continuity purposes.

Visit the Account Management page to access and manage your MacID.

Beyond Password Security: Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA), also known as two-factor authentication (2FA) or two-step verification, is a way of adding an extra layer of protection to help prevent hackers from accessing your account in case it has become compromised (leaked, stolen, hacked into).

Once activated, MFA requires that users demonstrate at least two of the following in order to log in to online resources (does not apply to campus-hosted websites):

  1. “something you know” (like a password)
  2. “something you have” (like a phone)
  3. “something you are” (like a fingerprint)

McMaster University provides the ability to enable MFA for MacID users. Click here for more information

Keep in mind that opting-in for MFA still requires users to maintain and protect their MacID password, as this will become one of the required factors in the MFA option.