Friday, November 22, 2024
What is happening? Password complexity requirements (e.g., including a digit, uppercase character, special character) are being removed in favour of longer passphrases. Password standards will be updated as follows:
- Minimum length: 15 characters
- Maximum length: 64 characters
- Other: does not contain the individual’s name or other University of Waterloo identifier
When is this happening? Wednesday, November 27, 2024.
What is the impact?
- All users: Currently, no action is required, and individuals are not being forced to update their passwords. However, members of the University community who must change or opt to change their WatIAM password on or after November 27, will need to satisfy the new passphrase requirements as outlined above.
- Privileged accounts: Current password complexity rules for privileged accounts in NEXUS (e.g., ! and ~ accounts) will remain in force with the minimum length adjusted to 15 characters
Why is this happening? To ensure University cybersecurity standards align with best practices. References supporting this change are available for review:
- Cross-Sector Cyber Security Readiness Goals (Canadian Centre for Cyber Security)
- Best practices for passphrases and passwords (Canadian Centre for Cyber Security)
- NIST SP 800-63B
Questions or concerns? Please submit to the IST Service Desk via the Jira Help Portal.