Changing Your NetID Password
Enforced Password Complexity
The Apply system, the online self-service web site that allows you to change your password, enforces the following password rules that are minimum requirements for NetIDs.
- Passwords MUST be 8 characters or longer (pass phrases are highly recommended)
- Password MUST not be the same as your account name (NetID) forward or reversed
- Password MUST contain at least 2 characters from any 2 of the character types below. This assumes a minimum 8 character password, for longer passwords, the requirements increase slightly based on length. No one element can make up more than 80% of the password.
- Upper Case characters (ABCDEF)
- Lower Case characters (abcdef)
- Digit characters (12345)
- Special characters (!@$%^*])
- Password MUST not be or contain a dictionary word IF IT IS LESS THAN 12 CHARACTERS IN LENGTH. If the passwords is greater than 12 characters, it may contain dictionary words
- Password MUST not use 'simple' character substitutions that would otherwise make the password a dictionary word; For example, usint '5' for 's', '3' for 'e', 'l' for '1'.
Choosing Good Passwords
Choosing a good password should be considered a critical aspect of securing systems. Insecure and / or shared passwords account for the majority of recent compromises on and off campus.
Strong Password = Complex + Long + (Not found in a dictionary) + (Changed regularly) + Memorable
One of the best ways of coming up with a good, complex, hard to guess password that is still relatively easy to remember is to start with a phrase you can remember, like:
"Remembering a long and complex password doesn't have to be difficult."
Taking the first letter of every word in the phrase while preserving case and punctuation we get:
This would be considered a pretty good password, based on the criteria listed below. Its relatively long (12 characters), it contains three of the four types of characters (uppercase letters, lowercase letters, and punctuation), it is not a word or name, and it is memorable - if we remember the phrase to generate it. To make it even more secure, characters can be added or replaced with numbers or other characters. For example, if we replace the first vowel (a) with a number or character, we get:
So, using a phrase that you can easily remember, you can create a very good and complex password. Now that you have a good password, remember the following tips to avoid it getting out to the wrong people:
- Don't write it down.
- Don't share it with anyone.
- Do change the password regularly - every six months or so. (HINT: Change your password when you change your clocks for Daylight Saving Time.)
- Do change the password if it is shared or if you think someone else may know it.
Good passwords are:
Passwords can (and should) contain more than simple lowercase letters. A combination of uppercase and lowercase letters, numbers, and punctuation marks make passwords harder to guess.
Generally, the longer the password, the harder it is to crack. A bare minimum password should be eight characters, but the recommended length is over twelve.
- Not Found in a Dictionary
Hackers use password crackers that throw many different passwords at accounts using different kinds of attacks. One kind of attack uses a "Dictionary File". These "Dictionary Files" contain literally hundreds of thousands of dictionary words, names, and simple permutations of each. For example, one attack might try to use 'password' in its attack. A good attack would try permutations as well, like p@ssword, password1, etc.
- Changed Regularly
At a minimum, passwords should be changed every six months. Depending on the type of system and the level of rights being accessed, it may need to be changed even more frequently. (Remember: Change your password when you change your clocks for Daylight Saving Time.)
The password you choose should be memorable to you. You should not choose a password that you have to write down to remember.
Change Passwords When you Change your Clocks
Change your login password for each of the Rice University systems you access when you change your clocks, or at a minimum at least once each year.
Unchanged passwords can lead directly to Rice computer work station break-ins and compromised Rice data and systems.
How can unchanged passwords lead to a security breach?
Whenever campus systems become compromised, the attackers collect passwords used or cached in the hacked systems. They utilize these newly acquired passwords to attack other campus systems. When successful, they grab the passwords from these new systems and continue to attack campus computers with an ever-increasing list of passwords. Rice has never forced password changes, so a compromised or "stolen" password file/list can be valid for years, giving attackers more and more chances to find new systems to attack. Changing passwords regularly helps mitigate security risks.
What does a security breach mean to me?
You may be unaware that security break-ins significantly impact the Rice community's productivity and affect our network, servers, and systems. These high priority incidents draw heavily upon IT staff resources and time, which in turn impacts regular, day-to-day IT customer support. Please change your NetID password and any other passwords you utilize on Rice computers twice each year, or -at a minimum- once each year. Changing your password on a regular basis is one of the easiest ways to protect your digital assets. The Rice IT Security Office recommends changing your password at least twice a year.
Remember, your password(s) protect your digital life at Rice - keep it secure.
NetID password changes can be made on the apply.rice.edu
web site: http://apply.rice.edu/
Thanks for helping make Rice safer for your computer, your identity, and your data.