Establishing a Password/Passphrase Guidelines

Passwords, also called passphrases, prevent other people from reading your email, accessing your network files, changing your Web pages, or sending messages from your account. These guidelines will assist you in creating a more secure password that is less susceptible to being broken.

WMU passwords/passphrases

  • Must be a minimum of fourteen (14), maximum of thirty-two (32) characters.
  • Will expire two years after each change. (Alumni, Retiree, and Affiliate passwords will expire one year after each change.)
  • May only be changed once per day.
  • Are case-sensitive (e.g. TmB1w2R! is different than tmb1w2r!).
  • May not contain any part of your name or username.
  • May not use single words found in the dictionary.
  • May not contain spaces.
  • Must contain two (2) or more of the following:
    • At least one upper-case alphabetic character.
    • At least one lower-case alphabetic character.
    • At least one numeric digit (e.g. 1, 2, 3…)
    • At least one punctuation or symbol character (e.g. ^, $, #)
    • Do not use ‘ “ or blank spaces as they may not work with all University systems.

Selecting a password/passphrase you can remember

Long, cryptic passwords or passphrases are the most secure but can be difficult to remember. One method of selecting a good password is to start with a short sentence, for example, a holiday greeting: Merry Christmas and Happy New Year

By using the first letter of each word it becomes MCaHnY. It has a mixture of upper and lower case letters and some characters are typed with the left hand and some with the right. It is only six characters long so it needs to have at least eight more characters, either numeric digits or punctuation. 

A random phrase from a book, movie, song, or poem is another idea from which you can create a long password/passphrase, such as: "TwoRoadsDiverged", "RoundUpTheUsualSuspects", "StartToMakeItBetter", or "AlasPoorYorick". Adding numbers, or intentionally misspelling words in the phrase will make it difficult for others to detect your password as you type.

Passwords/passphrases should not be

  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • A single word in any language, slang, dialect, jargon, etc.
  • Computer terms and names, commands, sites, companies, hardware, software, etc.
  • Personal information such as birthdays, addresses, phone numbers, etc.
  • Words or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g. secret1, 1secret).

Password/passphrase don’ts

  • Don't reveal passwords over the phone to anyone.
  • Don't reveal passwords in an email message.
  • Don't talk about passwords in front of others.
  • Don't reveal passwords on questionnaires or security forms.
  • Don't share passwords with anyone, including family members.
  • Don't reveal passwords to co-workers while on vacation or leave.
  • Don’t use the "remember password" feature of applications.
  • Don’t write passwords down and store them anywhere in your office.
  • Don’t store passwords in a file on any computer system including smart phones, PDAs, or similar devices, unless that file is encrypted.
  • Don’t use the same password for WMU accounts as for other non-WMU access.
  • Avoid using your browser to store passwords, as a compromised browser or stolen device could potentially lead to password theft.
  • If someone asks for your password, refer them to this document or have them call someone in the Office of Information Technology or your college/department network administrator.

Password/Passphrase Dos

  • Consider using a secure password manager, such as LastPass, 1Password, or NordPass to store passwords.
  • Consider using the auto-generation features of your password manager to automatically generate complex passwords that cannot be easily guessed.


Usernames and passwords/passphrases assigned to individuals to access information are critical in the protection of both your privacy and the University’s IT resources. Usernames and passwords are for the use of the individual for whom they were granted, and should be known only to that individual.

These guidelines have been enacted to better secure the information assets of WMU. It is an increased burden but it also will make an exponential difference in password security on campus. Even if you do not access or maintain confidential data, your system access can be used by a hacker to gain access to confidential data. Everyone plays a vital role in the University’s information security and we must all do our part.


These guidelines may be amended at any time by the Chief Information Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website. 

Document action

Revised: Nov. 2021