Home > Data Security > Passwords

Concordia Password Security Policy

This policy applies to all passwords for any Concordia University business related resources.

Password Creation

  • Users may not use the same password for Concordia University associated accounts as for other non-Concordia University access (for example personal email, banking, Netflix accounts and so on).
  • User accounts with administrative or sudo privileges must have unique passwords from all other accounts held by that user.

Password Standards

All passwords should meet or exceed the following guidelines:
  • Contain a minimum of 8 alphanumeric characters.
  • Contain both upper and lower case letters.
  • Contain at least one number (for example, 0-9).

It is highly suggested that your passwords meet the following guidelines:
  • Contain at least one special character (for example, !$%^&*()_+|~-=\`{}[]:";'<>?,/).
  • Contain multiple words, this is also referred to as a pass phrase.

Please review Concordia University’s Password Security Basics page to assist you in building and maintaining strong passwords.

Password Change

  • Passwords must be changed at least every 90 days.
  • Users will not use the last 8 previously used passwords.
  • Password cracking or guessing may be performed on a periodic or random basis by members of the ITS (Information Technology Services) department. If a password is guessed or cracked during one of these scans the user will be required to change their password in accordance with this policy.

Password Protection

You are solely responsible for the security of your university credentials.
  • You must never share any university credential (name/password) with other people.
  • Passwords must not be inserted into email messages or any other forms of electronic communication.
  • Under no circumstances are users to write down or store passwords in plain text. If you must store your passwords somewhere, use an encrypted password storage locker.
  • Do not use the “Remember Password” feature of applications (for example, web browsers)for any sites that may contain PII or financial information and on any public/shared machines.
  • You will not be asked by any Concordia University employees for your password; this applies to both verbal and electronic communications.
  • Any user suspecting that their password may have beencompromised must immediately report the incident to the Technology Service Center. All passwords must be changed upon discovery of possible compromise.

Policy Compliance

  • The ITS department will verify compliance to this policy through various methods, including but not limited to, internal and external audits, periodic walk-thrus, business tool reports and feedback to the policy owner.
  • Any exceptions to this policy must be approved by the Director of Information Technology Services.
  • Non-Compliance; in the event that this policy has been violated disciplinary action may be required.
    • All disciplinary action will be performed in accordance with the standards set forth in the handbook applicable to the offender (student, faculty or staff). ITS does reserve the right to cancel, revoke or disable network accounts or access to network resources without prior notification when there is suspicion of a violation of network policy/applicable laws, possible compromise of network resources or pending formal disciplinary procedure.



Effective 11/01/2009
Policy Reviewed by {Pending Administrative Approval}
Updated by J. Flowers (04/08/2015)