On December 4, 2017, ITS implemented two new password policies at the direction and with the support of the Technology Priorities and Planning Committee (TP&PC). The new policies reflect a growing campus-wide commitment to two-factor authentication as an essential part of our overall security posture, and are intended to make it easier for community members who choose to opt-in to Duo to manage their Carleton password over time, while preserving an essential minimum security standard for those who prefer not to enroll in two-factor authentication.

On December 6th, 2021, following the recommendations of a security audit, password policies were updated to require a minimum length of 15 characters, and they will be checked against published lists of leaked passwords.

One of the two policies below will applies to your account, depending on whether or not you have enrolled in two-factor authentication via Duo. A password policy is applied at the time that you change your password, and is not retroactive. If you choose to opt-in to Duo and set a password according to the less restrictive policy, you will be required to change that password if you choose to opt-out of Duo thereafter.

Note: Carleton faculty, staff, and current students are required to use Duo and are subject to policy 1 below.


Policy 1 (with Duo enrollment):

  • Passwords must contain at least 15 characters.
  • Passwords will be automatically checked against a list of previously-hacked passwords to make sure you are not using one of them.
  • Passwords cannot contain easily-guessable words such as:
    • Your first or last name
    • Your username
    • Your previous password
    • The word “carleton”
    • The word “college”
    • The word “password”
  • Passwords do not require special characters.
  • Passwords do not expire.

Policy 2 (no Duo enrollment):

  • Passwords must contain at least 12 characters.
  • Passwords will be automatically checked against a list of previously-hacked passwords to make sure you are not using one of them.
  • Passwords cannot contain easily-guessable words such as:
    • Your first or last name
    • Your username
    • Your previous password
    • The word “carleton”
    • The word “college”
    • The word “password”
  • Passwords are subject to complexity requirements:
    • At least one capital letter.
    • At least one number.
    • At least one special character or symbol.
  • Passwords expire annually.