...
The University of Waterloo manages all userids all userIDs and passwords through UWaterloo Identity and Access Management (WatIAM). A person's WatIAM credentials are used to access all UWaterloo's systems including Quest, LEARN, Workday, and email.
...
Be between 8-32 characters long
Have at least one character from at least 3 of the following groups
Numeric characters (0-9)
Lower case letter (a-z)
Upper case letter (A-Z)
Non-alphanumeric character (-, %, ^, !, $, #, +, etc.)
NOT include all or part of your given names or surname
NOT contain your useridyour userID
NOT contain an email address
...
Once you’ve opted in to two-factor authentication, logging in to supported services is as simple as accepting the notification on your phone, or entering a PIN from a text message or phone call. It’s as easy as 1-2-3: 
1. Enter your password 2password
2. Use your password to verify your identity 3identity
3. You’re securely logged in
...
Signing up for two-factor authentication once protects your account for all supported services. The following services are currently supported by two-factor authentication, with more coming soon:
Office Microsoft 365 web portal
Outlook Web App
...
Resetting a forgotten WatIAM password
Go to Password Recovery.
Enter your
...
userID and an external email address, then click Next.
If those two things match data on the identity, a password reset message will be sent to the supplied email address.
Log into your external email address, open the password reset message and click on the provided link.
The provided link will prompt you to a new window where you will need to create a new password according to the guidelines above. If the password meet the requirement your password will reset.
...
Any password breaches or compromises are subject to the Information Security Breach Response Procedure.
WatIAM accounts that have been found to be or suspected of being breached will be temporarily locked until they have been investigated. People will be directly contacted by a member of Information Systems & Technology (IST) regarding their account. If you believe your account has been compromised and have yet to receive any communication from IST, please contact the ACO Help Desk or the IST Service Desk.
...