Password Security
Passwords and passphrases are used to access many online services, such as email, credit card and bank accounts, e-commerce sites like Amazon, and social networking sites like Facebook and Twitter. It is important to choose strong passwords or passphrases to make sure that no one but you gains access to your private information.
The CNetID passphrase is an alternative to the CNetID password and functions identically to a CNetID password by authenticating you for all the common services you are eligible to use based on your affiliation with the University.
Security Tip
If you struggle to create and remember complex passwords, a passphrase is an equally secure option. Passphrases are simple sentences that are more secure due to their length rather than their complexity. Passphrases at the University of Chicago must be at least nineteen characters long. For more information, please read the Password and Passphrases FAQ.
Never use CNetID passwords and passphrases for any services or applications outside of the University.
Tips to Increase the Security of your Passwords
Important: To strengthen your account security, IT Services strongly encourages users to consider opting in to Two-Factor Authentication (2FA). Two-Factor Authentication (2FA) enhances the security of your CNetID by using your phone, tablet, or some other device to verify that you are really the person attempting to log in when you attempt to access University applications. This prevents anyone but you from using your CNet credentials to log in to websites like MyUChicago, even if they know your CNetID password or passphrase.
You can find more information about 2FA and how to use it in the Two-Factor Authentication (2FA) Overview and the Two-Factor Authentication (2FA) FAQ.
Using the same password or passphrase for multiple services is very dangerous. If your credentials are stolen from one service, hackers can use them to access all the accounts where you used them. Always consider what you are protecting when choosing a password or passphrase. You may not need the same level of security for accounts where you do not use any private information. If you are unsure, always err on the side of caution and use a unique password or passphrase.
Of course, it is very difficult to remember more than a few unique passwords and keep track of where you have used them! Consider using a password manager to help you manage multiple passwords and passphrases. These tools often require you to make a “master” password that you use to unlock them – make this a very strong password that you can always remember. If you forget it, you may risk losing your password safe’s contents.
Never give out your password or passphrase online or over the phone to others. Email and phone requests for your password or passphrase and other private information are phishing scams. University administrators or reputable companies, such as your bank or credit card company will never request this kind of information through email, fax, or phone.
Don’t even share your passwords with friends or family members. Especially do not give them your CNet password or passphrase to gain access to any UChicago service, such as the virtual private network (VPN) or the wireless networks on campus. This is a violation of the Eligibility Acceptable Use Policy (EAUP). Instead, give your guest a temporary password or passphrase through the UChicago Guest Network.
Your password or passphrase is like your signature. Giving it out to others amounts to giving them the authority to sign your name, which makes you responsible for all activities associated with your account.
If you suspect someone else has accessed your account without your permission, change your password AND any other accounts that use a password similar to the leaked one. Change your password to something unique and unrelated to any of your other passwords.
Note that regularly changing your password is not necessary. If you do proactively change your password, create an entirely new password instead of slightly changing the current password.
Not recommended change: Password123 ➞ P@$$W0rd2022!
Better change: Password123 ➞ RainIsNotA#OrColor
Check to make sure no one else is using your account where possible by using features like Gmail’s last account activity logs. See the knowledge base article CNetID Overview to learn how to manage your CNet password.
Use a website like HaveIBeenPwned.com to check if your account information was included in a data breach leaked publicly. Additionally, you can subscribe to notifications at HaveIBeenPwned.com/NotifyMe to learn when your information appears in a new data breach. Several password managers can check if your credentials have shown up in a data breach. It can take a while for the credentials from recent data breaches to appear in these services, so you really should preemptively make sure that your passwords are unrelated.
Many web browsers and email clients offer to store passwords and passphrases for you. This is not the best idea and should only be done with care. Never store passwords or passphrases associated with important services, such as financial accounts. Computer viruses and spyware programs can easily retrieve stored passwords or passphrases for these accounts from your browser. They may even be able to distribute your passwords or passphrases before you notice that anything is wrong.
The sole exception is what we’ll call throwaway passwords. Throwaway passwords are passwords or passphrases for accounts that you do not care about and which do not contain sensitive information, such as credit card information, medical history, phone records, etc. A throwaway password might be one of several passwords you reuse for services or applications you rarely visit, that you don’t care about being cracked by hackers, and that do not contain confidential data.
For example, the name of the street you grew up on, your Harry Potter blog, the states you lived in, your obsession with making homemade canned goods on Pinterest, your likes on Facebook, and relatives’ names can all be easily found online. Some websites, such as MyLife, are devoted solely to compiling biographical information about you.
If you need to write down your password or passphrase temporarily or access it from a written source, please be sure to store it in a safe place. Do not write your passwords or passphrases down and place them under your keyboard or an unlocked drawer. If you must write them down, consider leaving out some of the easily remembered characters, and reinsert them when typing them in. Destroy the paper once you have memorized the passwords or you no longer need them.
Here are some tips for safely storing a hard copy of your password:
- Never write down the name of the service the password is for. For example, if the password is for an Adobe application, do not write Adobe: spacecamp MashedPotatoes4! on a sheet of paper, no matter how safe you think that sheet of paper is!
- Leave some characters out. Instead of writing “spacecamp MashedPotatoes4!” write down an abbreviated form that only you’ll understand, such as sc MP4!.
As a convenience, hotels, restaurants, and businesses often offer public internet access. Please use this access with care, and avoid accessing confidential information, such as financial data using these networks. Hackers often target these networks to obtain confidential information for financial gain. Whenever possible, use the UChicago VPN (cVPN) to carry out University business, as an added layer of protection. Still, be aware that hackers may be able to access your username, password or passphrase, and other private information by tracking your keystrokes remotely.
You may also find useful information on our Travel Tips page.
There are many password manager options available. Below are a few suggestions as of 2022. (Note: these tools are not offered or supported by the University.)
- 1Password – free trial with paid options
- Apple iCloud Keychain – free and available for Apple devices
- Bitwarden – free basic account with paid premium options
- Google Password Manager – free for Android and Apple mobile devices, computers
- LastPass – free basic account with paid premium options