Resources Passwords

• Is at least 8 characters in length. Longer passwords are more secure. You should not aim for the minimum required strength.
• Is different from previously used passwords.
• Contains a combination of characters from each category:

• Often, even short but complex passwords are hard to remember.
• Consider a longer password consisting of a string of words separated by punctuation, which can actually be more secure and easier to remember than a shorter but more obscure password.
• If your passphrase is made up of all dictionary words, adding a variety of character classes is highly recommended to obscure the word.

• Do not use a password containing a word found in a dictionary.
• Do not use any part of your first, middle, or last name to form a password. Do not use maiden names, initials, or nicknames. 
• Do not use information that can be obtained about you. This may include pet names, names of friends or relatives, phone numbers, name of the street you reside on, etc.
• Do not use your user name in any form as part of your password.
• Do not use keyboard sequences such as qwerty or logical sequences such as abc123.
• Do not use a password entirely consisting of numbers or letters. It is preferential to mix letters, numbers, and special characters.
• Do not share accounts with co-workers, friends, or family.
• Do not reveal a password with anyone including University of Regina IS Service Desk.
• Do not use default passwords. Always change your password after logging into a system for the first time.
• Do not write passwords down. This includes in an email, sticky notes, or anywhere online. 
• Do not use dates in any format for passwords. 
• Do not use the same password for different applications, websites, or services.
• See detailed information in the governing standards in the Password Management Standard and Authentication Management Standard, which provide the requirements depending on your account category.

• This additional layer of protection means that you require more than just your password to access your account.
• In addition to your password, examples of a second authentication factor include a one-time use code sent via text to a mobile phone, a hardware token, or a biometric requirement such as a fingerprint.

Two-factor authentication requires both "something you know" (like a password) and "something you have" (like your phone, or finger print). Most online services have options to enable two-factor authentication:

• Microsoft Services
• Google Services
• Apple Services
• Facebook Services

For a more inclusive list of services offering two-factor authentication, visit twofactorauth.org.

• For every service you use that supports it, you should enable two-factor authentication. In combination with unique, strong passwords, it is one of the best ways to keep your data safe.

• To generate unique, strong passwords, consider using a strong password generator.
• A password generator will permit you to specify the length and number of character classes to include in your password.
• KeePass Password Safe, a free password manager, inlcudes password generation functionality. This tool will allow you to construct a password of suffiicent strength to meet the minimum password standards.

• To help manage multiple passwords securely, passwords can also be stored securely in free and low-cost "password vault-type" encryption tools.
• Password managers are recommended as they help users to use unique passwords for every application, they allow use of very complex passwords, and they help avoid forgetting passwords or writing them down.
• Password managers usually store passwords in an encrypted database, which requires the user to create a very strong master password to access the password database.
• The recommended password manager is KeePass Password Safe.

• KeePass Password Safe is the industry standard recommendation for all users.
• While many competitors exist like LastPass or 1Password, these are all cloud-based, closed source password managers which cost a yearly subscription to access.
• KeePass is a free, open-source and most importantly, offline.
• The codebase for KeePass has been peer reviewed and tested by Cyber Security worldwide and is considered the best password for anyone who needs to keep their secrets safe.

There are many KeePass client derivatives based off of the original open-source code for all flavours of operating systems.

Desktop Operating Systems

Note: If you do not have administrative rights on your system, please choose the 'Portable' version to download.

• Windows KeePass 2
• Mac/Linux KeePassXC

Mobile Operating Systems

Note: see the sync guide to quickly transfer your desktop passwords to your mobile device

• Android KeePassDroid in Google Play store.
• iOS KeePass Touch in iTunes Store.

• You can extend your KeePass client to make using the password manager easier.
• You can use these plugins for seamless integration with web browsers, import/export of passwords, and automatically backup your vault.
• KeePass Plugins

• Read KeePass Password Safe instructions (PDF) on how to create a database, create password entries, retrieve passwords, and configure the application securely.
• The KeePass Sync Guide (PDF) reviews how to get your passwords onto your mobile device easily.
• Additionally, you can learn more about the app at the Keepass Help Center, or viewing video tutorials.

• University of Regina uses passwords as the primary authentication method for users to access IT systems in the conduct of University activities. The goal is to reduce the probability of compromised accounts being used to access University IT systems.
• The policy and associated standards are designed to ensure passwords are managed appropriately, both from the end user and system administrator roles, in order to minimize risk to University information assets.
• Information security is a shared responsibility; strong passwords are a critical part of this responsibility.  
• External research, such as Verizon's Data Breach Report, have shown that more than 80% of hacking-related breaches used either stolen and/or weak passwords. 

• Passwords must be changed at least once per year, or more often if necessary. Generally speaking, passwords must be a minimum of 8 characters for students, 10 characters for faculty and staff and 16 characters for system administrators.
• All passwords must be of a sufficient complexity, which includes special characters, alphanumeric characters, or upper case characters.
• It is not permissible to share or give your password to another person, including anyone claiming to be an University of Regina Information Services staff member. University of Regina Information Services will never ask for your password.
• There is now a written requirement prohibiting use of your University of Regina password on non-University services, sites, or accounts.
• Applications and systems need to be configured to enforce the password policies, wherever possible.

• Protecting the password associated with your individually assigned university account(s).
• Reporting any suspected incidents of password compromise on an account assigned to you. Anyone who reasonably believes their password is known by anyone else must change it immediately.
• Any activity occurring due to non-compliance with this Policy and the associated standards.

• The policy and related standard requires that passwords are changed annually.
• Going forward, account holders at the University of Regina will need to change their passwords every 365 days. The uregina.ca accounts owners will be notified via automated emails prior to the expiry of their passwords. The notification is sent at 60, 30, 21, 14, 7 and 1 day(s) before expiry to your @uregina.ca email address.
• Having everyone in an organization complete a password change on a regular basis is considered a baseline security practice which ensures a potentially compromised password has a shorter usable lifespan. In addition, it helps discourage password sharing.

• No. If your uregina.ca account password is currently greater than a year, you will granted a 30 to 60 day grace period to change your password.
• Notifications of the required change will be sent to your uregina.ca email address.
• However, all future yearly password change windows will not have a grace period which extends password validity beyond 365 days.

• To log into your uregina.ca account after it has expired, please contact the IS Service Desk.

• Lower case characters
• Upper case characters
• Digits
• Special characters such as punctuation, symbols, and other characters found on an English language QWERTY keyboard

• These rules are designed to protect your account, as it makes password guessing much more difficult.

• Yes. Passwords must be unique in two ways.
• First, the new standards require users to use passwords for University of Regina accounts which haven’t been used for non-University of Regina accounts.
  • This means that your U of R password shouldn’t be the same as your personal LinkedIn, Dropbox, or Facebook (or any other external site or service) password, or vice versa.
• If an external site or service, such as LinkedIn or Dropbox becomes breached, your account passwords could be released publically.
  • When this happens and your password has been reused on your U of R account, your University account is at risk of unauthorized access. Having unique passwords negates this risk.
• Secondly, passwords previously used for your University of Regina accounts should not be reused frequently, or periodic password changes become less effective.
  • This is referred to as password uniqueness history.
  • Applications should prevent users from using the same 10 previous passwords or any passwords used in the previous 3 years.

• Student, alumni, and retiree accounts do not usually have access to sensitive data beyond the account holder’s own data. These accounts can be secured with an 8 character password.
• If your account permits access to sensitive data about others, as an employee account often would, 10 characters is the minimum password length.
• Lastly, an account with access to restricted data, a privileged account (system administrator), or service accounts should be secured with a 16 character password.
• As access to data sensitivity increases, so does the password length requirements.

• The University of Regina recommends the use of KeePass Password Safe to securely store and organize your account credentials.
• Please see the Password Manager Resources for details on how to adopt KeePass Password Safe into your daily activities.
• When using a password manager, be sure to use a primary password which is as strong (or stronger) as any of the credentials stored within the tool.
• Another mechanism to assist with remembering passwords is the use of passphrases.
• Passphrases are longer passwords which consisting of a string of words separated by punctuation, which can actually be more secure and easier to remember than a shorter but more obscure password.

• Systems and applications are required to ensure that authentication mechanisms to your system are configured and tested to align with the Authentication Management Standard.
• This, at a high level, requires that applications/systems are configured to enforce password complexity, change frequency, expiry amongst other requirements.
• If your system can not be configured to meet these standards, please follow the exception process.

• The policy was approved in January 2018, with implementation commencing in March 2018.

• As always, your uregina.ca password can be changed at https://novapp.cc.uregina.ca/perl/chpass.pl.
• Further guidance on password changes can be found at Change uregina.ca Password. 

• Banner Self Service PINs are currently exempted from the password policies and standards.
• Banner PINs do not have the ability to meet the complexity standards.
• All other applications and systems on campus not utilizing Banner PINs are in scope, however.

• The Password Management Standard  is targeted to all end users of the University of Regina.
  • This standard requires users to construct passwords with the strength appropriate for the data to which the password protects.
• The Authentication Management Standard is designed to guide system administrators, application owners, and purchasers of computer applications.
  • This document provides the requirements on secure password transmission, configuration to meet enforce minimum password complexity, and using centralized authentication mechanisms.