Password Standards

Guidance on minimum password strength and usage for TRU systems.
Adopted by the Information Security Committee - September 27,  2016
Updated - August 15th, 2023


Use a minimum of twelve characters and a combination of all of the following:

  • lower case letters
  • Numbers: 0123456789
  • Special characters: !#$%^&*()_+={}|”:?/;’\][><,

Note: Any Oracle passwords are restricted to letters and numbers and must begin with a letter. e.g. Gr3enEGgSaNdHam1 or IamS0OverU. This means that Banner passwords are also restricted to letters and numbers and must begin with a letter, since they are Oracle passwords.

Example for other systems, Gr3enEGg$@NdH@m! or I@mS0/you.

Change your password(s) every 120 days.

Don't use:

  • proper names
  • dictionary words — in any language
  • international characters

Never share passwords or use the same password for all systems you access.

Payment Card Industry Data Security Standard (PCI-DSS) version 3.2 requirements

In addition to the complexity standards above, passwords in the PCI Card Data Environment:

  • must be changed every 90 days,
  • must be different from the last four passwords used,
  • must be set to a unique value for new users and changed on first use.

Be even more secure

Consider using a "pass phrase" instead of a password.

When creating your "shared secrets" for websites, remember not to use easy to guess questions like, "What colour is my car?" only you should know the answer to these questions.


Article ID: 1249
Tue 5/18/21 8:45 AM
Wed 8/16/23 3:00 PM

Related Services / Offerings (1)

Standards and Policies that apply to all staff, faculty, and third parties who access University Information.