Bowdoin password requirements and choosing a strong password

password security login credentials mfa OKTA password-security passphrase password-requirements password-manager account-security

Questions

What are the password requirements for my Bowdoin account?
How long does my Bowdoin password have to be?
How do I create a strong password that I can actually remember?
What is a passphrase and is it better than a password?
Can I reuse an old Bowdoin password?
What makes a password weak or easy to guess?
Should I use a password manager?
Is it safe to write my password down or save it in my browser?
What do I do if I think someone else knows my password?
Why do I need a strong Bowdoin password if I already have Okta

Environment

This article applies to the password used with your Bowdoin username for any Bowdoin-managed service, including:

Who: All Bowdoin students, faculty, staff, and emeritus account holders.
What: Bowdoin email, Workday, Canvas, VPN, campus Wi-Fi, and any other service that uses your Bowdoin account to sign in.
Not covered: Passwords for personal accounts (Apple ID, Gmail, bank, etc.) — though the same strategies below apply. For resetting a forgotten Bowdoin password, see the Additional Resources section.

Resolution

Bowdoin password requirements

Every new Bowdoin password must meet all of the following rules:

Requirement	Details
Length	At least 12 characters.
Mixed case	Must include both uppercase and lowercase letters.
Number	Must include at least one number.
Special character	Must include at least one special character (for example, `!` `@` `#` `$` `%` `&` `?`).
Username	Must not contain any part of your username.
History	Must not match any of your last 24 passwords.

Note: Meeting the minimum requirements is just the floor. The strategies below will help you create a password that is both easier to remember and much harder to crack than a typical 12-character password.

Strategy 1 — Use a passphrase (recommended)

A passphrase is a short sentence or string of unrelated words used as a password. Passphrases are the modern recommendation because length matters more than complexity: a 20-character passphrase is dramatically harder to crack than an 11-character password full of symbols, and far easier to remember.

How to build one:

Pick four or more unrelated words that you can picture. Random beats clever — "correct horse battery staple" is the classic example, but "lobster umbrella concrete Tuesday" works just as well.
String them together. Add spaces, hyphens, or underscores between words if the system allows — if spaces aren't accepted, use - or _ instead.
Capitalize at least one letter and add a number and a symbol somewhere meaningful to you. Putting them at the very start or end is predictable — sprinkle them in the middle.

Examples (do not use these — make your own):

Lobster-Umbrella-Concrete-Tuesday!7
It can get c0ld in Maine!
coffee_Piano_42_bicycle_Moose

Why this works: Length is the single biggest factor in password strength. Adding one extra character to your password is worth far more than swapping a for @. Attackers know all the common substitutions.

Strategy 2 — Use a password manager

The most secure option is to let a password manager generate and remember a unique, random password for every account you have. You only need to remember one strong passphrase — the one that unlocks the manager itself.

Reputable password managers include:

Apple Passwords — built into macOS and iOS; free, syncs across your Apple devices.
1Password — paid, widely used, excellent cross-platform support.
Bitwarden — has a free tier; open-source; works on every major platform.

Important: The master password for your password manager should be the strongest, longest passphrase you can reliably remember — and should not be used anywhere else.

Strategy 3 — Never reuse passwords across sites

Password reuse is the single most common way Bowdoin accounts are compromised. If you use the same password for a personal account and that site is breached, attackers will try that same password against your Bowdoin login within hours. Every account needs a different password.

What makes a password weak

Attackers use automated tools that test millions of common patterns per second. Avoid passwords that:

Contain your username, name, or email address.
Are a single dictionary word (forwards or backwards), even with a number tacked on the end — for example, Bowdoin1! or summer2026!.
Use names of family, pets, sports teams, media characters, or anything that appears in your social media.
Use information easily found about you: phone number, license plate, address, birthday, graduation year, hometown.
Are sequences or repeats — 123456789012, qwertyuiop!1, aaaaaaaa1234, asdfjkl;1234.
Rely only on look-alike substitutions — P@ssw0rd!23, M1cr0$0ft!!. Attackers try these first.
Are reused on another account, anywhere.

Keep your password secret

Never share your password over email, chat, or phone — even with someone claiming to be from IT. Bowdoin IT will never ask for your password.
Do not write it on a sticky note on or near your computer.
Do not type it into a computer you do not trust — public kiosks, hotel business centers, or a borrowed device.
Only enter it into pages that begin with https:// and that show a Bowdoin domain (typically ending in bowdoin.edu).
Treat any unexpected password-reset or "verify your account" email with suspicion. When in doubt, go to the service directly rather than clicking the link.

Remember: your password is one layer of two

Okta is not a substitute for a strong password. Multi-factor authentication (Okta) protects you if your password is stolen, but attackers who have your password will still try to push Duo notifications hoping you approve one by mistake. A strong password means they never get that far.

If you think your password has been compromised

Change it immediately, then contact the Service Desk. Signs of compromise include:

Unexpected Okta push notifications you didn't trigger.
Sent-mail items or calendar events you don't recognize.
A sign-in alert from an unfamiliar location.
A notification from a password manager or haveibeenpwned.com that your password appeared in a breach.

Additional Help

If you need further assistance, you have several options:

Bowdoin Bot: Chat with Bowdoin Bot directly from any KB page for instant answers.
Phone: Call the Bowdoin College Service Desk at (207) 725-3030.
In person: Visit the Tech Hub in Smith Union during business hours.
Submit a ticket: Request assistance through the Service Catalog.

Additional Resources

Resetting a forgotten Bowdoin account password — If you can't sign in and need to reset your password.
Have I Been Pwned — Check whether your email address has appeared in a known data breach.
NIST: Digital Identity Guidelines (SP 800-63B) — The federal standard behind modern passphrase-focused password guidance.
Bitwarden Password Strength Tester — Estimate how long it would take to crack a given password. Do not type a password you actually use.

0 reviews

Print Article

Updating...