Skip to navigation content (Press Enter).


Password Protection and Management

A password is the most basic mechanism of security necessary to protect computer systems and internet access to private information. Unfortunately, password safety is often overlooked by the majority of people, including those in the IT community. The problem stems from the fact that there is very little understanding of either how security works or how human beings behave, and this leads to very poor protection against serious and determined password attacks. This is particularly important if what is being protected by the password is highly sensitive. To be sure, the access to private information via a password must satisfy the principles of confidentiality and integrity. Password usage should follow McMaster’s Password Policy (see below).

For information about MacID password complexity requirements, please visit:

Common password protection issues related to human behaviour...

  • Write passwords down on sticky notes.
  • Place passwords under the keyboard.
  • Place a sticky note containing a password on monitor screen.
  • Share the password (or swipe card) with other people.
  • Choose an easily guessable password.
  • Use a password on a non-secure machine or machine that "remembers" passwords.

Common issues with security questions for password retrieval

  • Questions are non-memorable.
  • Questions are ambiguous.
  • Questions are easily guessable.

What if I have multiple passwords?

In the modern Internet environment, people often find that they need to juggle multiple passwords for their email accounts, web sites they visited, and different Internet-based services that they wish to use. While it is impractical to create a completely different password for every web site or account, using the same password in multiple locations is very dangerous. If the password is stolen from any one of the places where it is used, it can be used elsewhere as well.

Password Safe Practices...

As a general rule, a password must be complex (complexity defined as hard to guess by a stranger and relatively easy to memorize by the owner of the password). Passwords that do not follow the complexity condition can be easily cracked by either using a dictionary attack, "brute-force" or social engineering.  Follow these practices and guidelines to ensure complexity and strength of passwords.

Recommended password practices

  • Choose a password that will be hard to ‘crack’.
  • Do not keep passwords on ‘sticky notes’ or similar easy-to-find methods.
  • Do not write down your passwords and if you need to do so, destroy/shred the paper after you are done.
  • Never share your password (or swipe card). You might be held accountable for the miss-use of it.
  • Do not use the same password for all your personal accounts.
  • Consider changing your password after using it via a non-secure network.
  • Change your passwords frequently.
  • Change your passwords after travelling abroad.
  • Never allow programs (such as web browsers) to store or ‘remember’ the passwords.
  • If your passwords protect critical work information consider storing them within the IT security protected area.
  • Use a password that can be typed quickly, without having to look at the keyboard. This makes it harder for someone to steal your password by looking at your keyboard (also known as "shoulder surfing").

Generating a Safe Password

Your password must be between 8 and 16 characters in length, contain characters from at least three of the categories below, and must not be based on a dictionary word or a simple pattern such as ABCdefG.  Your password must also not match any password you previously used.

Lowercase Letters abcdefghijklmnopqrstuvwxyz
Numerals 0123456789
Symbols !@#$%&*() -+= _|\ [] {} <> ,.:;

Features of a poor or weak password

  • Contains less than eight characters.
  • Is a word found in a dictionary (English or foreign).
  • Is a common usage word such as common names, names of movie or cartoon characters, etc.
  • Uses a birthday or other type of personal information.
  • Uses simply patterns like 1234, aaabbb, qwerty, zyxwvuts, 123321, etc.

Features of a strong password

  • Contains both upper and lower case characters (e.g., a-z, A-Z).
  • Has digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./).
  • Is at least eight alphanumeric characters long.
  • Is not a word in any language, slang, dialect, jargon, etc.
  • Is not based on personal information, names of family, common names of objects, movies etc.

Handling Multiple Passwords for multiple types of access

  • When choosing a password, consider what it is protecting. Some services may not require as secure a password if they do not contain any private information. If the access is not for sensitive data you don't need a strong password (if in doubt use a secure password).
  • Consider your password as multiple parts: a central core of the password to drive the memorability of it and a prefix and/or suffix to specify the service that is being protected.
  • Ensure the memorability of the password by creating a word based on a song title, affirmation, or other phrase. For example, the phrase might be: "Never Go Down A Volcano Alone" and the password could be: "NgD0wn@va" or "NgDaVal0n3" or some other variation.
  • The passwords protecting your most sensitive information should always be different than other passwords and should always be strong.

Service Bulletins

Citrix Receiver Client Update

UTS asks Citrix users to upgrade Citrix Receiver Client to the most current version by February 28, 2017. See UTS Citrix website for installation and removal information.

Mosaic Upgraded Interface

Service Desk

Client Self Service:
Hours: Monday - Friday
8:30 am - 4:30 pm
Phone: 905-525-9140 x24357 (2HELP)
Location: Main Campus BSB Rm. 245
Service Catalogue:

Great Idea Site

Great Idea