Password and password security

About passwords

The University of Waterloo manages all userIDs and passwords through UWaterloo Identity and Access Management (WatIAM). A person's WatIAM credentials are used to access all UWaterloo's systems including Quest, LEARN, Workday, and email.

Password strength

Passwords are set upon first access to WatIAM by the user and must fulfil the following minimum requirements:

  • Be between 8-32 characters long

  • Have at least one character from at least 3 of the following groups

    • Numeric characters (0-9)

    • Lower case letter (a-z)

    • Upper case letter (A-Z)

    • Non-alphanumeric character (-, %, ^, !, $, #, +, etc.)

  • NOT include all or part of your given names or surname

  • NOT contain your userID

  • NOT contain an email address

These minimum requirements ensure that all WatIAM passwords are not easy to discover through brute force or other simple means.  

Two-factor authentication

About two-factor authentication

Two-factor authentication (2FA) adds an extra layer of security to your University accounts. Verifying your identity using a second factor (like your phone or other mobile device) prevents anyone but you from accessing your accounts, even if they know your password.

How does two-factor authentication work?

Once you’ve opted in to two-factor authentication, logging in to supported services is as simple as accepting the notification on your phone, or entering a PIN from a text message or phone call. It’s as easy as 1-2-3:      

1. Enter your password

2. Use your password to verify your identity

3. You’re securely logged in

Why should I use two-factor authentication?

Passwords are increasingly easy to compromise. They can often be stolen, guessed, or hacked, and as a result of this, you could potentially be locked out of your account, or you might not even know someone is accessing it.

Two-factor authentication adds a second layer of security, keeping your account secure even if your password is compromised. With two-factor authentication, you will be alerted right away (on your phone) if someone is trying to log in as you.

Supported services

Signing up for two-factor authentication once protects your account for all supported services. The following services are currently supported by two-factor authentication, with more coming soon:

  • Microsoft 365 web portal

  • Outlook Web App

Who can use two-factor authentication?

Anyone with WatIAM credentials can use two-factor authentication. This includes undergraduate students, graduate students, alumni, faculty, staff, retirees, and guests.

Am I required to have a two-factor authentication account?

Two-factor authentication is currently optional for everyone. However, in the future, it may be required in order to use some systems. 

How do I enroll for two-factor authentication?

It takes less than five minutes to set up an account for two-factor authentication. You can enroll for two-factor authentication by following the instructions as shown in the Two-factor authentication enrollment video (with DUO) below.

Watch video on YouTube

Support for two-factor authentication

If you’re looking for additional information about two-factor authentication, you can visit Duo’s knowledge base Guide to Two-Factor Authentication.

If you are have any questions or concerns regarding two-factor authentication, please contact the IST Service desks, or the Arts Computing Office Help, or extension 33190. 

Change your WatIAM password

To change your password, log into WatIAM, click on "Change My Password" and you will be prompted to change your password.

Resetting a forgotten WatIAM password

  1. Go to Password Recovery.

  2. Enter your userID and an external email address, then click Next.

  3. If those two things match data on the identity, a password reset message will be sent to the supplied email address.

  4. Log into your external email address, open the password reset message and click on the provided link. 

The provided link will prompt you to a new window where you will need to create a new password according to the guidelines above. If the password meet the requirement your password will reset. 

If you cannot remember an external email address, or if you are a staff or faculty in need of password assistance, please come in person to the Arts Computing Office (ACO) Help Desk with a piece of photo ID (e.g. your WatCard).

Password security

Even if a password meets the requirements above, it is still possible for it to be compromised. The following are recommended security practices that can prevent a person's WatIAM password from being compromised:

  • Use a unique password for WatIAM.  If someone uses the same password for WatIAM, Facebook, Gmail, etc. and their password on a non-UW server is compromised, then their WatIAM password may be known by others.

  • Do not share or give out a password for a personal account. University of Waterloo staff, faculty, and administration will never ask you to tell them your password. If someone finds out your password, change it immediately.

  • Always enter passwords manually when online. Anyone who gains access to stored browser passwords or cookies has the potential to use the associated accounts on those web sites. 

  • Change passwords periodically. Though the University of Waterloo does not currently require people to change their passwords, it is recommended that people change their passwords every 126 days (approximately once a term).

Password breaches and compromises

Any password breaches or compromises are subject to the Information Security Breach Response Procedure.

WatIAM accounts that have been found to be or suspected of being breached will be temporarily locked until they have been investigated. People will be directly contacted by a member of Information Systems & Technology (IST) regarding their account. If you believe your account has been compromised and have yet to receive any communication from IST, please contact the ACO Help Desk or the IST Service Desk.

Additional Information

For more information regarding passwords and password security, see the following pages: