Password Security

Passwords and passphrases are used to access many online services, such as email, credit card and bank accounts, e-commerce sites like Amazon, and social networking sites like Facebook and Twitter. It is important to choose strong passwords or passphrases to make sure no one but you gains access to your private information.

The CNetID passphrase is an alternative to the CNetID password and functions identically to a CNetID password by authenticating you for all the common services you are eligible to use based on your affiliation with the University.

If you struggle to create and remember complex passwords, a passphrase is an equally secure option. Passphrases are simple sentences that are more secure due to their length rather than their complexity. Passphrases at the University of Chicago must be at least nineteen characters long. For more tips for creating secure passwords and passphrases, please read the article Strengthen Your Passwords Or Passphrases And Keep Them Secure.

Alert: Never use CNetID passwords and passphrases for any services or applications outside of the University.

Expand the sections below to see more details that will help you increase your password security.

Use Two-Factor Authentication (2FA)

Important: to strengthen your account security, ITS strongly encourages users to consider opting in to 2Factor Authentication (2FA). 2Factor Authentication (2FA) enhances the security of your CNetID by using your phone, tablet, or some other device to verify that you are really the person attempting to log in when you attempt to access University applications. This prevents anyone but you from using your CNet credentials to log in to websites like MyUChicago, even if they know your CNetID password or passphrase.

You can find more information about 2FA and how to use it in the 2Factor Authentication (2FA) – Overview and in the 2Factor Authentication (2FA)- FAQ.

Don't use the same password or passphrase for all your accounts.

Using the same password or passphrase for multiple services is very dangerous. If your credentials are stolen from one service, hackers can use them to access all the accounts where you used them. Always consider what you are protecting when choosing a password or passphrase. You may not need the same level of security for accounts where you do not use any private information. If you are unsure, always err on the side of caution and use a unique password or passphrase.

Of course, it is very difficult to remember more than a few unique passwords and keep track of where you have used them! Consider using a password or passphrase manager, such as Password Safe or LastPass to help you manage multiple passwords and passphrases. However, we do recommend that you do not store passwords and passphrases for financial institutions in this manner.

Never share your password or passphrase.

Never give out your password or passphrase online or over the phone to others. Email and phone requests for your password or passphrase and other private information are phishing scams. University administrators or reputable companies, such as your bank or credit card company will never request this kind of information through email, fax, or phone.

Don’t even share your passwords with friends or family members. Especially do not give them your CNet password or passphrase to gain access to any UChicago service, such as the virtual private network (VPN) or the wireless networks on campus. This is a violation of the Eligibility Acceptable Use Policy (EAUP). Instead, give your guest a temporary password or passphrase through the Uchicago Guest Network.

Your password or passphrase is like your signature. Giving it out to others amounts to giving them the authority to sign your name, which makes you responsible for all activities associated with your account.

 

Change your password or passphrase regularly.

The longer you’ve used a password or passphrase, the more likely it is that someone will manage to figure it out. Change your passwords or passphrases regularly, at least once a year. The passwords you use to protect confidential information should be changed more frequently than others. See the knowledge base article CNetID Overview to learn how to manage your CNet password.

Don't store your password or passphrase within web applications.

Many web browsers and email clients offer to store passwords and passphrases for you. This is not the best idea and should only be done with care. Never store passwords or passphrases associated with important services, such as financial accounts. Computer viruses and spyware programs can easily retrieve stored passwords or passphrases for these accounts from your browser. They may even be able to distribute your passwords or passphrases before you notice that anything is wrong.

The sole exception is what we’ll call throwaway passwords. Throwaway passwords are passwords or passphrases for accounts that you do not care about and which do not contain sensitive information, such as credit card information, medical history, phone records, etc. A throwaway password might be one of several passwords you reuse for services or applications you rarely visit, that you don’t care about being cracked by hackers, and that do not contain confidential data.

Never use information in a password or passphrase that can be found online.

For example, the name of the street you grew up on, your Harry Potter blog, the states you lived in, your obsession with making homemade canned goods on Pinterest, your likes on Facebook, and relatives’ names can all be easily found online. Some websites, such as MyLife, are devoted solely to compiling biographical information about you.

Store written copies of your passwords or passphrase safely.

If you need to write down your password or passphrase temporarily or access it from a written source, please be sure to store it in a safe place. Do not write your passwords or passphrases down and place them under your keyboard or an unlocked drawer. If you must write them down, consider leaving out some of the easily remembered characters, and reinsert them when typing them in. Destroy the paper once you have memorized the passwords or you no longer need them.

Here are some tips for safely storing a hard copy of your password:

  • Never write down the name of the service the password is for. For example, if the password is for an Adobe application, do not write Adobe: spacecamp MashedPotatoes4! on a sheet of paper, no matter how safe you think that sheet of paper is!
  • Leave some characters out. Instead of writing “spacecamp MashedPotatoes4!” write down an abbreviated form that only you’ll understand, such as sc MP4!.
Use a password or passphrase escrow service.

Departments can store a sealed package of passwords or passphrases in a fireproof safe with IT Security. Only pre-designated parties will be able to retrieve the sealed package. For more information about this free service, see the Password Escrow Service website.

Use non-secure networks with care.

As a convenience, hotels, restaurants, and businesses often offer public internet access. Please use this access with care, and avoid accessing confidential information, such as financial data using these networks. Hackers often target these networks to obtain confidential information for financial gain. Whenever possible, use the UChicago VPN (cVPN) to carry out University business, as an added layer of protection. Still, be aware that hackers may be able to access your username, password or passphrase, and other private information by tracking your keystrokes remotely.

You may also find useful information on our Travel Tips page.