Password Guidelines

General use and misuse of computer systems is covered within the University's Computer Systems Regulations and Staff Code of Conduct. This document provides some basic standards and guidelines for good practice when using passwords at the University of Waikato.

Passwords are an important aspect of computer security. They are a front line of protection for computer access and the safeguarding of data. Failure to maintain password integrity may result in the compromise of the entire University network and the destruction of corporate data. As such, all users are responsible for taking the appropriate steps, as outlined below, to select, maintain and secure their passwords:

• All staff passwords have Duo 2 factor authentication now so there is no expiry, and student passwords never expire.

• Passwords can be 7-120 characters in length (longer passwords are better) and comprise a mixture of upper and lower case letters, numbers and symbols and should not be a simple English word. It is also inappropriate to use your name or username in any form, or any 'obvious' or easily obtainable personal information (i.e. date of birth, favorite sports team, pet's name, etc.). Suitable passwords would therefore include '[email protected]' or '$l33pFr0gLe4p' but not 'Crusaders' or 'Tiddles'. You can test the strength of your current password using this tool: How Secure is My Password

• Passwords should be kept secret at all times. Users must not, under any circumstances, disclose their password to others. Note - support persons should never ask you for your password - anyone asking for your password is in breach of the University regulations.

• In some circumstances, users may need access to another person's email for administrative reasons.  This access can be achieved by using a shared mailbox which is owned by a group of people, and not one person. Contrary to popular belief, it is not necessary for a user to log on to another person's account in order to access this information.

• Users must not write down their password.

• Users must never send email with their password included, as email is not considered secure and could potentially be read by unintended recipients.

• Should a changed password be forgotten, the user should visit the ITS Tech Desk in the Student Centre, M Block or call the Service Desk, where they will be required to either produce ID or answer a security questions in order to get their password changed to an interim one, which will in turn require changing once the user logs in.