Password best practices and guidelines

Updating your password? Consider using a passphrase.

What is it?

/ˈpasˌfrāz/ (noun): a password that contains:

• at least 4 unique words

• some numbers and punctuation

• at least 15 characters in length

Example: ‘Vision2020,whenthegeeseattack’

Passphrase tip

The example has one upper-case letter, four numbers, and two punctuation characters. It’s also memorable.

While the use of dictionary words in a password is discouraged, using words to form a passphrase of total length greater than 14 characters is acceptable.

Setting a strong password/passphrase

Before you change your password


Password complexity requirements

All passwords/passphrases must contain characters from at least four of the following five categories and be a minimum of eight characters in length:

  • English uppercase characters (A - Z)
  • English lowercase characters (a - z)
  • Non-alphanumeric (e.g. !, $, #, %)
  • Base 10 digits (0 - 9)
  • Unicode characters

Change your password


Be different

If your previous password/ passphrase was compromised, adding a single digit or character to it will not be enough to prevent your account from being compromised again.

Avoid reusing

When you reuse passwords on various sites, a security breach at one site means your information is at risk on other sites where you used that same password.


To reset your password/passphrase, log in to and select the ‘Change Password’ option from the home page.

After you've changed your password


Update your credentials on mobile

To prevent getting locked out of your accounts, be sure to update your devices with your new password as soon as possible after making the change.

Two-factor authentication (2FA)

Two-factor authentication adds an extra layer of security to your University accounts. Verifying your identity using a second factor, like your mobile phone or tablet, prevents others from accessing your accounts, even if they know your password.

For more information about 2FA, please visit

2FA tip

When prompted to authenticate, click ‘Cancel’ and select ‘Remember me for 30 days’.

2fa screenshot

Did you know?

You can self-register for free information security courses on LEARN. Click the ‘Self Registration’ tab in the top menu bar to enroll in:

online learning
  • Information Security Awareness Training
  • Information Security Awareness for Finance and Commerce
  • Optional topics in Information Security Awareness

Questions about cyber security?

If you have any questions about the security of your University of Waterloo account, please call ext. 41125 or email

Questions about other IT concerns?

Please contact the IST Service Desk by calling ext. 44357 or email

Get informed, stay safe

For more cyber security information, please visit: