Frequently Asked Questions

About Passwords

Why are Marmot libraries implementing passwords?

The library profession prioritizes the protection of patron privacy as a core tenant of the Library Bill of Rights. Colorado law also requires that “reasonable steps” be taken to protect personally identifiable information. Implementing passwords for access to patron data is a reasonable step.

Passwords are for more than just keeping patron reading history private. Personally identifiable information such as personal contact information can be more easily accessed without passwords in place - information that has the potential to result in identity theft or other crimes.

Why are we calling these PASSWORDS rather than PINs?

Cultural use and acceptance of the word PIN implies a four digit identification number. Although this is certainly better than nothing, Marmot decided to alter the language to reflect an even more secure and customized authentication token. Cultural use of the word PASSWORD implies an alpha-numeric token. Passwords also have generally accepted complexity standards - such as uppercase characters, lowercase characters, numbers, and symbols - that we can direct patrons toward in order to encourage more secure authentication tokens.

Will we see any decreases in holds, circulation, or renewals once passwords are implemented?

Libraries that have implemented passwords have not experienced declines in holds, checkouts, renewals, or library use.

What systems will require passwords and which won’t?

Systems Impacted

Not Impacted

Highly Suggested

Systems Impacted

Not Impacted

Highly Suggested


Staff computer logins (Windows and Mac logins)

Third party databases or resources (non proxied)


Sierra Webpac for request by staff functionality

Library event registration systems

Sierra Webpac for Patrons

Library websites

Individual library SIP2 or Patron API connections (regardless of Marmot hosting)

Shared eContent Sources (ex. Overdrive/Libby)




Sierra Desktop staff access


Patron record loads

Envisionware PC Reservation and LPT:One (can be used, but cause some functional issues)


Patron record creation



Express Lane Self Checks



Why is this level of security being put into place now?

Colorado law has recently changed such that this level of security is required. There have been dramatic nationwide and worldwide increases in cyber crime, identity theft, and the commodification of PII. This level of security is more important now than in the past.

Getting Started

What is a patron’s initial password?

Libraries will have a choice between two default password structures.

Option 1: first three letters in the name field and the last four digits of the barcode.

For example John Doe, with a barcode of 987654321 would have either of the following default passwords (depending on whether the name field is populated last name first, or first name first):

  • doe4321

  • joh4321

Option 2: first three letters in the name field and the last four digits of the phone number.

Using the same example: John Doe, with a phone number of 555-270-6789 would have either of the following default passwords (again, depending on whether the name field is populated last name first, or first name first):

  • doe6789

  • joh6789

We strongly recommend patrons changing their password to one that is meaningful to them. Passwords should include uppercase and lowercase letters, numbers, and special characters.

How do patrons get a password?

Default passwords will be generated by Marmot staff and populated into patron records. After passwords are enabled on March 28, 2023, patrons who log into Pika using the default password will be prompted to reset their password.

Once patrons are logged in, they should review, update, or add an email address by clicking the “Edit Account” link. They will need a valid email in order to retrieve or reset a forgotten password.

TIP for busy Parents/Caregivers: If patrons have multiple family members with library cards, parent/caregivers may want to consider choosing the same password for each cardholder so they don’t have to juggle multiple passwords in order to access online accounts and services.

Will the default password or reset passwords be case-sensitive?

The password field is case-sensitive, regardless of whether the default password or a reset password is being used.  The temporary default password is all lowercase. We suggest that reset passwords contain both upper- and lower-case letters, in addition to numbers and special characters.

What are all of the components required for a patron to log in?

  • For Pika and EZProxy patrons will need barcode and password. Libraries can choose to enable or disable passwords for SIP2 connections.

After passwords are implemented, how will new patrons get a default password?

Staff will need to input a temporary password manually. Marmot recommends that each district/library have policies and procedures that ensure strong temporary passwords and encourage your patrons to use strong, safe passwords.

How will new patrons using Pika’s self-registration get a password?

The form for self registration includes a blank field for patrons to enter their own password. There is no reason for that field to be prefilled or randomized as the patron is creating it for themselves.

What will happen to linked accounts in Sierra and Pika?

  • In Sierra, linked account functionality is independent of the passwords functionality. Library staff will be able to access linked accounts without passwords.  

  • In Pika, if accounts were previously linked, the linking is not lost, but both the manager and managed accounts have to reset their passwords for authentication. For newly established linking, the manager account will have to know the managed account’s unique password – the default password will not allow linking in Pika.

Patron Support

How do patrons reset their passwords?

Patrons can log into their online account to change their password using these steps:

  • Click on “My Account.”

  • Click on the “Forgot My Password” link/text.

  • Enter their library card number and click “Submit”. This will send patrons an email with a temporary link to change their password.

  • Patrons then need to check their email and click on the link they received. Enter their library card number and new password of their choice and click on Save Changes.

We strongly recommend patrons changing their password to one that is meaningful to them. New passwords MUST consist of at least six alpha-numeric characters. The best passwords should include uppercase and lowercase letters, numbers, and special characters. We recommend that patrons AVOID choosing a password that is “password,” a simple number sequence like 123456 or 000000, or contains any part of their social security number.

Are there complexity requirements for reset passwords, such as length, numbers, or special characters?

The requirements in place for Sierra is at least 6 characters. However we do suggest that library staff adopt a suggestion structure that follows standard password complexity suggestions. This article provides some good suggestions.

Will I be able to help patrons reset their passwords?

Yes, library staff can help patrons reset their password by updating the field in the patron record. We suggest that staff instruct patrons to change their password themselves for the password to be secure.

Can I tell a patron their password if they forget it?

No. The password is encrypted information, so library staff cannot access it. If a patron forgets their password, please walk them through the online “Forgot Your password” steps. Patrons can also visit their library in person to change their password with staff assistance and identification. 

Can I send a patron a new password if they forget it?

Yes. If a patron is not able to reset their password using the “Forgot Your password?” link, staff can manually change the password to a default option. The patron would then have to create a new password going through the prompts/process they went through the first time around.

Can a patron still use their library card if they forgot their passwords?

Yes. Patrons can still use their library card for in-library checkouts at the circulation desk.

How do patrons without an email address reset their passwords?

Pika uses the email addresses that are in the patron record to allow patrons to reset their passwords. If a patron does not have an email address in their account they will need to contact the library staff to have their password reset through Sierra.

What about patrons who never reset their default password?

Patrons will have a grace period from March 28 - July 31 to reset their default password. Once libraries close the evening of July 31, Marmot staff will update any remaining default passwords with randomly generated passwords, effectively locking the patrons' accounts. Patrons will have to contact the library at that point for assistance resetting the password.

Once a patron resets their default password, will their new password ever expire?

Sierra has the functionality to enable resets at a certain number of days. However, libraries do not have to use that functionality. Patrons should be encouraged to monitor their password security and reset it if they think it might be compromised.

If a patron never uses Pika, will library staff be forced to use Sierra to place holds for them, rather than using Pika’s masquerade mode?

Library staff can temporarily change the password for these kinds of patrons and log into Pika as them.

Will all library staff have the necessary permissions to masquerade as patrons?

Permission to masquerade is set by patron type. Libraries that do not have staff patron types should plan on adding one. Let Marmot know if you need to add a staff patron type.

Third Party Resources

How do passwords affect a patron’s interaction with:



If a library participates in Marmot’s Shared Overdrive collection, their patrons will be prompted for their password in order to gain access to Overdrive content. This may or may not be the case for libraries who participate in ACDC or the Front Range Downloadable Library.



Patrons will have an additional prompt in Prospector when they login for their Sierra password.


PC Reservation guest passes?

Guest passes for PC Reservation will not be affected by passwords.


Envisionware products?

Non-selfcheck Envisionware products are not impacted. Passwords can be used with PC Reservation and LPT:One, but cause some functional issues. Contact Marmot support if you’d like to know more. Envisionware self-checks may require a barcode and password if a library has opted to enable passwords for SIP2 connections.


Limited access cards?

All patron records will require a password during creation. If the limited cards have any of the following access they will need to have a password and know how to use it.

  • Access to shared e-resources like OverDrive

  • Access to Pika

  • Ability to checkout materials through self check

  • Access to a third party database where passwords are required for patron authentication

  • Access to public computers where passwords are enabled on PC Res or LPT1

Will the Libby password be the same as the PIKA password?

Yes. Pika and Overdrive/Libby both connect to Sierra as a central location for the patron credentials.

Will the password in Sierra remove any current holds that patrons have in Libby?

No.  The Libby/OverDrive account will not be impacted by passwords other than for authentication verification. All holds and history will still be attached to the patron’s account.

Will patrons only need to authenticate in Libby one time?

Correct, patrons will only need to authenticate in Libby one time, unless they log out or change their password.

Will patrons’ default passwords work for OverDrive?

Default passwords will work for Overdrive until the patron changes it. In order of operations, we would suggest the patron log into Pika first to change their password.

Will patrons be able to access materials they have already checked out during the 24 hour period before the system makes them log in with the new password, or will Libby block them?

Patrons should have access to materials in their account because they will not be logged out of Libby. The system will log them out within 24 hours depending on the last time the patron record was checked or verified by OverDrive. A password change should not prevent a patron from signing into their account.

If we have to reset a password in Sierra, will it take 24 hours for Libby to recognize the new password?

  • It depends on the time of day the password is reset in Sierra.  OverDrive makes a daily call to Sierra; that daily call is when OverDrive recognizes that there is a new password in the patron account.  If a password is reset 5 minutes before the daily call, the password will be updated in Libby in 5 minutes.  If a password is set 12 hours before the daily call, the new password will update in Libby after 12 hours.  

  • Anytime a patron wants to use a new password to access Libby right away, they could log out of Libby and log back in with the new password.  Otherwise, the patron’s previous password will still work with Libby until that daily call to Sierra takes place.

Will I still be able to place holds in Pika or in Prospector for a patron without knowing their password?

For placing holds in Pika, you can use Masquerade Mode to create materials requests, if the library has materials requests enabled in Pika. For placing holds in Prospector, Sierra has functionality to allow staff to request materials on behalf of patrons using an override code.

Are patron barcodes necessary for using PC Reservation?

Authenticating patron barcodes is necessary in PC Reservation if a library wishes to control access (total time, number of sessions, age restrictions). If enabled, passwords will be required for all reservations even if being placed by library staff. If no controls are needed, then authentication using a library account is not necessary.

How do passwords affect 3rd party resources that already use a username/password system?

If the third party system does not authenticate against the Sierra system and instead allows patrons to create an “account” with them then Sierra passwords will not be a factor for those resources. These are usually set up so that the patron accounts are stored in the 3rd parties database.

Can 3rd party resources that use their own username/password system be convinced to use the Sierra passwords?

This will probably have to be broached on a vendor-by-vendor basis. It is ideal to have the patron accounts in one place for privacy reasons but some 3rd parties will not be set up to use SIP2 or Patron API.

Will patrons be required to reauthenticate with their new password for 3rd party resources that use their own username/password system?

Yes. If the third party system does not authenticate against the Sierra system and instead allows patrons to create an “account” with them, then Sierra passwords will not be a factor for those resources. These are usually set up so that the patron accounts are stored in the 3rd parties' databases.

How do passwords affect 3rd party resources that authenticate via IP address?

Authentication via IP address will not change directly. However, resources that are accessed via EZProxy (a form of IP authentication) will require a password on the EZProxy authentication portal.

What information can Marmot provide to help prepare 3rd party selfchecks (SIP2) for passwords implementation?

If a library chooses to enable passwords for SIP2, Marmot staff can provide the timeline that outlines when passwords will go live. Most vendors who authenticate patrons through SIP2 or Patron API will have other customers that use passwords. It is usually just a matter of toggling the system to check for the passwords for the vendor. They will mainly want to know when the change is going to occur ahead of time.

If a vendor needs more information we can provide information on the calls or fields they will need to look for to find the passwords.

Do passwords need to be implemented for all 3rd party resources at the same time?

It depends on whether the 3rd party resource uses SIP2 or PatronAPI. SIP2 connections may require password verification. PatronAPI connections make this optional.

Other Resources