Skip to content Skip to main navigation Skip to footer

Password Management Best Practices

Table of Contents

Each organization has unique security needs, so it is vital that your user team analyzes their situation and makes decisions on how to set up their distinct security goals.

Please take the time to go through our suggested best practices, and let our Customer Support Team know if you would like any consultation on them.

Alexandria is a secured program, meaning a username and password are always required to gain access to the service. It is imperative to plan for and have access redundancies in place for your Alexandria service.

  • Don’t share passwords.
  • Don’t use generic passwords or shared operator accounts. Each user should have their own unique username and password.
  • Consider using a secure password management program to avoid forgetting your login info, and to avoid having your password in obvious places (like a post-it note on your desk).
  • Keep your operating system, browsers, and COMPanion program up-to-date (if you are cloud hosted with us then you don’t have to worry about the last one). 
  • ALWAYS add a valid and current email to an operator patron record so that the operator can recover their password if needed. 
  • Make sure to whitelist, which is the email address any password reset emails will come from. This might need to be done by a district or facility IT team.
  • Have a plan to access the district admin’s password/email if they leave, or have a backup district admin user. 

  • We recommend having two distinct highest level operators (District Administrator) for redundancies, in case one operator leaves, then the second operator can still access all areas of the program. These could be the District Librarian, Site or District Tech, or whoever has high-level responsibility over the library. 
  • Consider giving a backup, full-admin rights login to a person who is always onsite, like your principal IT technician. Even if they don’t use Alexandria regularly, if you ever get locked out, someone can help. This can also be useful if someone is helping out as a librarian temporarily, but the permanent librarian is unavailable to help give them temporary access. 
  • A lot of this may depend on the size of your facility, and your administrative group should make a plan and policy for password and user management

We recommend that you set a standard for secure passwords and train your team accordingly.

Here are some generally accepted password rules:

  • It is not safe to use the same password on more than one site. If your password is hacked for one site, then it could be used to get into multiple sites. Reusing passwords is not secure. 
  • Create a password that is hard to guess, and doesn’t contain personal information like your birthdate or phone number. A strong password should be easy for you to remember, but hard for anyone to guess or associate with you. Avoid using simple phrases, words, or patterns that are easy to guess. 
  • Remember that the longer a password is, the harder it is to hack.
  • Follow these simple steps to keep your data (and yourself) safe. 
Tip: Keep your data safe—Password Required!

How strong is the password you use to log in to Alexandria? You aren’t going to have any mischievous 7th-grader guessing it and wreaking havoc on your collection, are you? Let’s take a look at some good password tips.

Picking a good password

In general, you want to choose a password that someone is not likely to guess, whether it’s ‘silverhorses’ or ‘112233cats’ etc. But as a librarian with access not only to your precious Alexandria catalog but also to numerous person records, you are responsible for the security of the database and of those patrons’ information. 

To choose a strong password, you want something that a) the 7th-grader can never guess, and b) hacking (password-guessing) software is going to have to work really, really hard for. These are similar but not the same goals. For example, the 7th-grader will never guess a random 5-digit string of numbers (or, it might take them thousands of tries), but 5 digits isn’t that long for a computer program to try every possibility. On the other hand, a program might take forever to guess ‘ilovebooks4ever’ but the 7th-grader might try that fairly early on. 

Some highly-recommended points for picking a good password:

  1. Pick a long semi-random phrase, like ‘herdofsilverhorses’.
  2. Add a number to really throw things off, e.g. ‘herdof30silverhorses’.
  3. Add a symbol* to make things really fancy, e.g. ‘herdof30silverhorses!’.
  4. Don’t write your password on a sticky note that you keep on your desk. (I recommend using password-management software.)

If you count that last iteration of my beautiful password, it’s 21 characters long. Yikes! That’s pretty secure. Usually 12–15 characters will keep you pretty safe. Anything above that and you are a super guardian of your domain.

*Most symbols are fine, but be aware that some login pages will see symbols in the password as part of their code, and then you get stuck out of your account. Not fun. So be sure to always test your password after you change it! In Alexandria we recommend any of the following: !@#$%^&*-=+.,

Changing your password in Alexandria

You can change your own password in Alexandria through Researcher:

  • Log into Search. Go to Patron Status by either clicking on the Patron Status icon at the top of the page or appending /status to the end of your URL. From Patron Status, click the Account tab and unlock the page. Fill out both New Password fields, and click Save when you’re done.

You, as the librarian, can also change passwords through Patrons Management:

  • In v7, unlock the patron record and enter the new password in the Password and Confirm Password fields on the Access tab. Click Save.

You can also use the Reset Patron Accounts utility to change multiple patron passwords at once.

Don’t forget to check with your aides to ensure they also have appropriate passwords!

Password Requirements

Did you know you can set password requirements for your staff and patrons? Go to Security, and the Account tab. There is an option for Password Strength.

When set, patron passwords entered in Patron Management or Patron Status are required to fit the following guidelines:
Weak Passwords: Minimum length of 6 characters.
Regular Passwords: Minimum length of 8 characters, with at least one letter (a-z) and one number (0-9).
Strong Passwords: Minimum length of 10 characters, with at least one letter (a-z), one number (0-9), and one symbol (!@#$%^&*-=+.,).

This means you can require your patrons to have basic password security (of a weak strength), but require your librarians and administrators to have stronger passwords.

Carry on, fearless guardian!

See also

Adding Operators is usually done by an admin, or someone who has greater security rights than the new operator being created. 

Read through the step-by-step instructions for Adding Operators, or watch our training video below. Be sure the operator has an EMAIL, maybe even TWO, so they can always recover their password!

There are two possible scenarios for recovering a login or getting back into Alexandria; if you have an operator record with an email attached to it, or if you do not. We will cover both below.

If you have access to the operator’s email address, username, or barcode for password recovery: 

When setting up an operator, ensure an email is entered. If an email was entered at the time of setup, the quickest way to recover an operator login is to: 

  1. Go to the login page for Alexandria, and click the “Forgot your password?” button located below the username and password fields.
  2. Enter the email, username, or barcode of the operator and click SEND LINK.
  3. Once you receive the recovery link, follow the steps to update the password, within 24 hours of receiving the recovery link.

Make sure to whitelist

If the operator DOES NOT have an email attached to their record in Alexandria: 

The steps for recovering a login in this case can be a lengthy process and customers will be required to speak with the COMPanion Support team and confirm their identity and role. Due to security considerations and requirements, COMPanion Corporation and the COMPanion Support Team withhold the right to deny or approve password requests at any time.

This is why it is important to maintain and manage access to your service. If you do not have access to the operator’s email address, username, or barcode for whom you wish to recover or reset a password (or if the operator did not have a valid email in their record), then you will need to speak with a member of the COMPanion Support Team. Their contact info is:

(800) 347-4942 ·

If approved, a Support Team member will then issue a temporary password that is good for 24 hours.

With this temporary password, you can log in to Alexandria and follow these steps to reset the password:

Go to Patrons and select Advanced Search to bring up the patron profile with the login credentials and permissions. Once the patron record is displayed, click the Lock icon to unlock the record. Go to the Access tab and enter a new password, then click Save. 

Please also be aware that our 24 hour temporary password does give the logged-in-user highest access to the program. It is wise to be sensitive with whom you are sharing these temporary credentials.

See also: Tip: Keep your data safe—Password Required!

The Approval process for temporary password issuance can be lengthy due to the detailed review requirements. This can take up to 2 or more business days processing based on the verification of the person requesting, and release of the temporary passwords.

If you have a librarian who is retired, or one that has already left, you will want to remove their access to Alexandria. You might also be adding a new librarian as an operator to your Alexandria. Here are the steps to do that.

To remove an operator: 

Go to Patrons and select Advanced Search to locate the record of the librarian who is leaving.  Unlock the record and go to the actions menu and choose Remove Patron, then select Yes, Remove

To create a new librarian, see the section above for creating a new secure operator or see Adding Operators

COMPanion suggests regular audits of who has operator access to Alexandria, and if old operators should be removed. There are multiple security group levels; all may need to be cleaned up.

To clean up your operators: 

Run the Operator Summary report to generate a list of your operators to review. 

Go to Patrons and click Advanced Search to find all operators with login credentials. Click the Access dropdown, then Security

First, select the District Administrator option and click Search. Review the list of operator patron records and determine which need to be removed. 

Click to highlight the operator you want to remove and click the Lock icon to unlock the record. Go to the Actions button next to the lock and choose Remove Patron, then select Yes, Remove

Repeat these steps for all operators you need to remove. 

If needed, repeat these same steps for any other security group levels (other than the Patron level), such as Library AdministratorLibrarian, and Library Staff

Was This Article Helpful?


There are no comments yet

Leave a comment

Your email address will not be published. Required fields are marked *