Skip to McMaster Navigation Skip to Site Navigation Skip to main content
McMaster logo

Office of the AVP & CTO



Passwords are a common means of authenticating the identity of a user before authorizing access to a resource or service. Passwords provide an essential layer of defense in securing McMaster University assets from unauthorized use or access.

The Security aspect of a password starts with the physical creation of that password. As such it is up to you, as the owner to ensure that the passwords you create are strong enough both in terms of length and complexity. Conventional wisdom says that a complex password is more secure. But, password length is a much more important factor because a longer password is harder to decrypt if stolen. At McMaster University, users are encouraged to exercise appropriate care when creating and securing their passwords as failing to do so may lead to unauthorized access to personally identifiable information, disclosure of intellectual property, unauthorized disclosure of University information, reputational damage and/or monetary loss. Here are a set of guidelines to properly create and maintain passwords for McMaster University identifiers (MacID):

Secure Password Requirements

Passwords must be a minimum of ten (10) characters in length. Passwords must include character(s) from at least three of these four character sets:
  1. Uppercase letters A, B, C, ..., Z
  2. Lowercase letters a, b, c, ..., z
  3. Numerals 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  4. Symbols ~ ! @ # $ % ^ & * ( ) _ + ` - = { } | ] [ \ : " ; < > ? , . /
A good password must not contain your name or any recognizable parts of your full name and must be unique and easily memorable by you but hard to guess by someone else. Dictionary words should also be avoided and ideally, a word that is unique and meaningful only to you is the best way to go.

A Password should be reset or changed:

  1. at least once every 365 days;
  2. immediately after the user has been given access to a new account, or when the password has been reset by a third party;
  3. when there is any indication of a possible system or password compromise; in addition such incidents must be reported to the appropriate authority.
Finally, passwords should never be written down or stored in a format that is human-readable. If possible, credential owners must encrypt passwords if they need to store the information, and this should only be done for backup, disaster recovery, and business continuity purposes.

Information Box Group