Computer Account and Email Requirements for University Employees Policy

No. A UCHAD account provided by the Medical Center can be used to access online functions the same as a CNetID account. If you have both a UCHAD account and a CNetID account, you must use the CNetID account when logging in to online functions outside of the Medical Center. It is simplest to have only one of these accounts.

This policy pertains only to CNetID accounts. The Department, Division, School, or Institute may have its own policies concerning the use of accounts it issues.

The University provides all faculty and staff the option to use one or more email services to which email addressed to their CNetID account is delivered. The University also provides all faculty, staff, and students the ability to forward all email addressed to their CNetID account to an email service of their choice. One of these choices must be selected in order to regularly attend to email addressed to your CNetID account.

With a corpus of hundreds of millions of compromised passwords and “rainbow tables” covering all possible passwords of length up to 8 characters already incorporated into cloud-based services provided by and to the hacker community, older, shorter, and simpler passwords are easy targets. When a password is a substantial part of the protection against unauthorized access to something important, it should be kept out of range of this powerful artillery, and that means changing it from time to time. But there is little consensus about how long that interval should be – there is no a priori reasoning that leads to “annually”. Instead, IT Services has a pragmatic reason to choose this value. The technologies and processes used to issue, manage, and use CNetIDs implement a specification that is accepted by organizations as diverse as the US Federal government and the International Grid Trust Federation as meeting “Level of Assurance 2”. All greater Levels of Assurance require a credential technology that is stronger than passwords. This specification must be tuned to some specific password expiration value, and one year was selected as a reasonable interval. So the better question is: Why not annually?

Two-factor authentication, or 2FA, is the use of a second means of authenticating a user in addition to their username and password. Typically, a smart phone or special hardware token is used to implement the second factor. When 2FA is enabled, a compromised password is not sufficient to gain access. Users of some online functions may be required to use 2FA to prevent unauthorized access to sensitive information. Details of the University’s implementation of 2FA are on the 2FA website.

You may still be asked to change your CNetID password in response to specific circumstances in which that step is warranted. For example, if your CNetID password is compromised for whatever reason, you will need to change it. And if IT Services updates CNetID password standards to keep ahead of password cracking technology, a campaign to refresh CNetID passwords may be undertaken so that they adhere to the revised standards.

The security awareness training is provided online and takes approximately 15 minutes to complete. Like IT, IT Security keeps changing and an annual refresher keeps you updated on how you can do your work securely.