Establishing a Password Guidelines

Passwords prevent other people from reading your email, accessing your network files, changing your Web pages, or sending messages from your account. These guidelines will assist you in creating a more secure password that is less susceptible to being broken.

WMU passwords

  • Must be a minimum of eight (8), maximum of 24 characters. (Faculty and staff passwords expire every six months).
  • Will expire 365* days after each change.
  • May only be changed once per day.
  • Are case-sensitive (e.g. TmB1w2R! is different than tmb1w2r!).
  • May not contain any part of your name or username.
  • May not use single words found in the dictionary.
  • May not contain spaces.
  • Must contain three (3) or more of the following:
    • At least one upper-case alphabetic character.
    • At least one lower-case alphabetic character.
    • At least one numeric digit (e.g. 1, 2, 3…)
    • At least one punctuation or symbol character (e.g. ^, $, #)
    • Do not use ‘ “ or blank spaces as they may not work with all University systems.

* Faculty and staff passwords will expire six months after they have been changed.

Selecting a password you can remember

Long, cryptic passwords are the most secure but can be difficult to remember. One method of selecting a good password is to start with a short sentence, for example, a holiday greeting: Merry Christmas and Happy New Year

By using the first letter of each word it becomes MCaHnY. It has a mixture of upper and lower case letters and some characters are typed with the left hand and some with the right. It is only six characters long so it needs to have at least two more characters, either numeric digits or punctuation. Here are three possibilities:

  • 1MCaHNY!
  • Mcahny!!
  • MCaHnY2y

Passwords should not be

  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • A word in any language, slang, dialect, jargon, etc.
  • Computer terms and names, commands, sites, companies, hardware, software, etc.
  • Personal information such as birthdays, addresses, phone numbers, etc.
  • Words or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g. secret1, 1secret).

Password don’ts

  • Don't reveal passwords over the phone to anyone.
  • Don't reveal passwords in an email message.
  • Don't talk about passwords in front of others.
  • Don't reveal passwords on questionnaires or security forms.
  • Don't share passwords with anyone, including family members.
  • Don't reveal passwords to co-workers while on vacation or leave.
  • Don’t use the "remember password" feature of applications.
  • Don’t write passwords down and store them anywhere in your office.
  • Don’t store passwords in a file on any computer system including smart phones, PDAs, or similar devices, unless that file is encrypted.
  • Don’t use the same password for WMU accounts as for other non-WMU access.
  • If someone asks for your password, refer them to this document or have them call someone in the Office of Information Technology or your college/department network administrator.


Usernames and passwords assigned to individuals to access information are critical in the protection of both your privacy and the University’s IT resources. Usernames and passwords are for the use of the individual for whom they were granted, and should be known only to that individual.

These guidelines have been enacted to better secure the information assets of WMU. It is an increased burden but it also will make an exponential difference in password security on campus. Even if you do not access or maintain confidential data, your system access can be used by a hacker to gain access to confidential data. Everyone plays a vital role in the University’s information security and we must all do our part.


These guidelines may be amended at any time by the Chief Information Officer of Western Michigan University consistent with current collective bargaining agreements, University policies, and applicable law. Changes will be reviewed by appropriate University entities prior to posting on the information technology public website. 

Document action

Direction/purpose: Chief Information Officer, per external audit group, Oct. 2010
Reviewed: Campus Information Security Committee, Nov. 2010
Reviewed and edited: Campus Information Security Committee, Dec. 2010
Reviewed: LAN managers group, Jan. 2011
Reviewed and edited: Campus Information Security Committee, Jan. 2011
Approved: Campus Information Security Committee, March 2011