Password Security

UBC IT will never ask for your password - keep your password confidential and do not give it out. As a recommended practice, change your CWL password regularly at

To ensure further security of your CWL password, look for these visual cues when asked to type in your password.

Best Practices

Passwords are intended to ensure that only authorized individuals are permitted access to your computer system and your data.

They secure computers against potential assaults from the cybercriminals who break into systems and steal identities to commit crimes.

Passwords should be:

  • Kept confidential.
  • Never shared with anyone, or used in plain sight of others.
  • Committed to memory and never be written down. (See Password Management)
  • Changed frequently (at least every 3-6 months).
  • Never used for more than one system.
  • Unique for each system you log into.

Additional advice:

  • Always change the initial password assigned to you by any system.
  • If you suspect someone else knows your password, change it immediately.
  • Put password protection on files containing sensitive data or information downloaded from a University database.
  • Passwords used as a key to encrypt personally identifiable information (PII) must be a minimum of 8 characters in length and include upper case, lower case, numbers and symbols.

Creating Strong Passwords

Weak Codes: Welcome, Hackers

Weak passwords make it easy for someone to gain access to your computer and to the information resources which you have access to. Weak passwords are:

  • A blank instead of a password
  • A common name, such as your name or the name of a family member or pet
  • Words from the dictionary -- whether spelled forward, reversed, pluralized or with any or all of its letters capitalized
  • Pop culture words (e.g. Eminem or hacker) or commonly used references (e.g. John316 or 23Psalm)
  • Trivial word (e.g. sex, password, secret, computer)
  • Geographic place (e.g. Vancouver or Wreck Beach)
  • Common abbreviations (e.g. QWERTY or RSVP)
  • Your User ID or any part thereof -- in any sequence
  • Your address or relative's address
  • All numerals (e.g. birth dates, anniversaries, phone numbers, license plate numbers, Social Insurance number)
  • Words proceeded or followed by a number, punctuation mark, directional arrow or space
  • Words or phrases with all or some of the vowels or white spaces deleted
  • Repeating characters or number patterns (e.g.aaa12345 or 9876bbb)
  • Old passwords with one or two characters changed

Strong Codes: Good Locks

For your passwords to function as strong locks, the codes you devise need to be difficult for hackers to figure out.

Secure passwords should be a minimum of 8 characters in length and contain upper case, lower case, numbers and symbols. Avoid the obvious and the predictable. Start with something only you would know and will remember. Use the following techniques to make secure passwords:

  • Use the first letters of words in an easily memorized sentence or phrase
    • e.g., ahahmkfah ( A horse, a horse, my kingdom for a horse)
  • Use random combinations of alphabetic characters, numbers and special characters (e.g. #, $,*) with at least one numeric or special character separating at least two alphabetic characters
    • e.g., $ljb1#sa
  • Mix upper case and lower case letters
    • e.g., M9%otD&
  • Use misspelled words as your base
    • e.g., DemoKrasee
  • Use numbers that look like the letters for which they substitute
    • e.g., Su65titute (where "6" replaces the alphabetic "b" , and 5 replaces the alphabetic s in substitute )
  • Use numbers and letters that create a sentence
    • e.g., 4warned_4armed ( Forewarned is for forearmed )
  • Insert silent characters into words or double words
    • e.g., choc9ola7te

Password Management

For the sake of convenience, many people who put strong locks on their front door often still hide a spare key under the doormat.

Likewise, many people who have difficulty remembering their passwords often opt for the equivalent of the key under the doormat strategy by:

  • Formulating weak passwords that are easy to crack;
  • Hiding their passwords in obvious and accessible places where anyone could easily find them, such as taped to the bottom of their keyboard or adjacent desk drawer; or,
  • Never changing their passwords because devising and remembering new passwords is too much trouble.

Ideally, you should commit your passwords to memory; but if you find this difficult, here are two practical suggestions:

  • Consider installing an application such as KeePass, Pretty Good Privacy (PGP) or GNU Privacy Guard (GnuPG) which secures your list of passwords with a common password.
  • As a last resort, write down your passwords, put them in a sealed envelope and hide it where only you know where to find it.

Change your Password

Follow the link below to reset your CWL password: