Guidance on minimum password strength and usage for TRU systems.
Adopted by the Information Security Committee - September 27, 2016
Updated - August 15th, 2023
General Password Standards
Use a minimum of twelve characters and a combination of all of the following:
- CAPITAL LETTERS
- lower case letters
- Numbers: 0123456789
- Special characters: !#$%^&*()_+={}|”:?/;’\][><,
TRU no longer requires user account passwords to be changed periodically, and will only require a password to be changed if it is compromised.
Don't use:
- proper names
- dictionary words — in any language
- international characters
Never share passwords or use the same password for all systems you access.
Payment Card Industry Data Security Standard (PCI-DSS) version 3.2 requirements
In addition to the complexity standards above, passwords in the PCI Card Data Environment:
- must be changed every 90 days,
- must be different from the last four passwords used,
- must be set to a unique value for new users and changed on first use.
Be even more secure
Consider using a "pass phrase" instead of a password.
When creating your "shared secrets" for websites, remember not to use easy to guess questions like, "What colour is my car?" only you should know the answer to these questions.