Guidance on minimum password strength and usage for TRU systems.
Adopted by the Information Security Committee - September 27, 2016
Updated - August 15th, 2023
Use a minimum of twelve characters and a combination of all of the following:
- CAPITAL LETTERS
- lower case letters
- Numbers: 0123456789
- Special characters: !#$%^&*()_+={}|”:?/;’\][><,
Note: Any Oracle passwords are restricted to letters and numbers and must begin with a letter. e.g. Gr3enEGgSaNdHam1 or IamS0OverU. This means that Banner passwords are also restricted to letters and numbers and must begin with a letter, since they are Oracle passwords.
Example for other systems, Gr3enEGg$@NdH@m! or I@mS0/you.
Change your password(s) every 120 days.
Don't use:
- proper names
- dictionary words — in any language
- international characters
Never share passwords or use the same password for all systems you access.
Payment Card Industry Data Security Standard (PCI-DSS) version 3.2 requirements
In addition to the complexity standards above, passwords in the PCI Card Data Environment:
- must be changed every 90 days,
- must be different from the last four passwords used,
- must be set to a unique value for new users and changed on first use.
Be even more secure
Consider using a "pass phrase" instead of a password.
When creating your "shared secrets" for websites, remember not to use easy to guess questions like, "What colour is my car?" only you should know the answer to these questions.