See Support Hours
Passwords and passphrases are used to access many online services, such as email, credit card and bank accounts, eCommerce sites like Amazon, and social networking sites like Facebook and Twitter. It is important to choose good passwords or passphrases to make sure no one gets access to your private information. Here are some tips on how to create secure passwords and passphrases and how to keep them secure.
The CNetID passphrase is an alternative to the CNetID password and functions identically to a CNetID password by authenticating you for all the common services you are eligible to use based on your affiliation with the University.
Note: Only use CNetID and password for University services.
If you struggle with creating--and remembering--a complex password, an equally good option is to use a passphrase instead. Passphrases are simple sentences that use length instead of complexity to make them secure. Passphrases at the University of Chicago must be at least nineteen (19) characters. For more on passphrases, see the section contained in this article called "Choosing Good Passphrases."
Secure passwords at the University of Chicago must have at least twelve (12) characters and combine letters, numbers, and symbols. Choose passwords that are memorable, but not easily guessed.
Dictionary words are any common words, names, dates, or numbers. Don't assume that this is limited to English dictionaries: if you can find it in the dictionary of any language (even fictional ones, such as Klingon), don't use it! One standard method for cracking passwords is a brute force attack, in which the attacker tries possible passwords over and over again. They try passwords in all sorts of languages using dictionaries of common words and names.
Many of the dictionaries include both common misspellings and words with letters replaced with similar looking numbers (e.g. replacing “l” with “1”). You should also avoid simply adding a numeral to the beginning or end of a word.
Since these can be found out, these passwords can be very easy to guess.
Obviously, if the password appears in a document such as this for the whole world to see, don't use it.
The longer your password is, the harder it is to crack.
Use a mixture of upper and lower case letters, numbers, and punctuation such as !, @, #, etc. Try to use at least three (3) out of the four (4) character sets available on your keyboard (e.g., KK,nn,123, !@#). However, avoid using characters that don't appear on a standard US 101 keyboard, as they may not work correctly in all circumstances.
Think up a phrase. For example, "Marx's Communist Manifesto has 8196 words in it!". You can use that as your passphrase, or choose the first letter from each word. "Marx's Communist Manifesto has 8196 words in it!" You'll notice that in this example we've decided to include all the punctuation to improve the quality of the password. So, your password would be M'sCMh8196wii!. It is a nice, long password with a good mixture of character classes.
For example nuit+Pog=tWi. Pronouncable nonsense words are easier to remember than random characters.
Secure passphrases at the University of Chicago must be at least nineteen (19) characters in length, and these characters include punctuation and spaces between words or letters. Note that the criteria for what constitutes a good password and what constitutes a good passphrase may differ. Unlike a password, for example, passphrases obviously need at least some dictionary words to function as they are intended to.
Part of the reason someone might choose to use a passphrase instead of a password is because he or she finds a passphrase to be more memorable. Examples include a favorite childhood memory, favorite foods, places you've visited, experiences you've had, etc., or some combo of these things. For example, "space camp MashedPotatoes4!" (a favorite childhood memory and favorite food) is a particularly strong passphrase. While a hacker may try any of these words individually, only you know all the words and characters in this specific combination that form your passphrase.
Consider adding additional (unexpected) characters that only you know. So, for example "space camp" and "mashed potatoes"--your favorite childhood memory and favorite food--becomes "+space camp 4!,MshdPtts"
Adding other characters such as symbols, numbers, and capital letters increases the complexity of your passphrase and makes it more difficult for hackers to crack.
Passphrases must be at least nineteen (19) characters long. Since passphrases rely on length instead of complexity (like passwords do) for security, the longer your passphrase is, the harder it is to crack. Note that creating a longer passphrase--which includes spaces and punctuation--is easier than you might think. As noted earlier, a passphrase of, "+space camp MashedPotatoes4!" is memorable and hard to crack because it's long (29 characters).
While lines taken from the U.S. National Anthem, for example, might seem like a good passphrase, these lines are widely-recognized and famous, so in practice they make bad passphrases that are easy to crack. If you like the idea of basing your passphrases on a favorite book, song, movie or play, etc. consider taking a passphrase from a book, movie, play, etc. that is meaningful to you and not very well-known. Do not use anything that could be easily found in a book of quotations, an online quotation compiler, or can be found easily by Google.
If you must choose an (obscure) passphrase from a favorite book, movie, play, etc., you should add unexpected characters like numbers and symbols, and consider abbreviating it or changing it so only you know the "code."For example, "To be or not to be/that is the question" would become "tB or not TB/tisq7!"
A good passphrase will generally will not be an exact quote, but a seemingly nonsensical list of items (like "+space camp MashdPotatoes4!") memorable, meaningful, and unique only to you.
For example, the passphrase:
could be a passoword based on a picture or poster you have hanging on the walls of your office, home, dorm room, etc. This is a good passphrase because it's easy to remember and is memorable to you, because it is based upon a picture of a you in a red dress sitting on your desk. It is also a lengthy password (24 characters) and it has unexpected characters (the "$" symbol" and the "!").
For example, if your first passphrase was "spacecamp MashedPotatoes4!" do not reuse any of these words in your next passphrase, and never "create" a new passphrase by re-using an old passphrase but adding in new words or characters: for example, "spacecamp MashedPotatoes Hi5!" Hackers will easily be able to crack this.
It takes little effort to come up with a good passphrase if you follow the criteria outlined in this article.
Below are some other examples of good passphrases and why they are good passphrases:
"Zelda Katamari MGS3#"
These are all video games. Lists of various categories, such as favorite items (food, games, books, etc.) can make good passphrases, so long as that information is not easily available online (on your Facebook, in your email, or on other social media accounts) or can be easily guessed by someone (everyone knows you love all the Harry Potter books, and there's a picture of you on Google images at a Harry Potter convention, for example)
A list of all your childhood pets' names is very easy to remember (memorable to you), contains unexpected characters ("&"), long (42 characters), and is unique to you; it's something that only you--in this specific order--would know.
"That time I slipped on a Hot Pink Banana Peel $"
"Bullriding at a Taxidermy Convention?!"
Both phrases are funny and unique, and so easy for you to remember (memorable to you), are long, contain uppercase and lowercase letters, and contain an unexpected character ("$" and "?!").
The point of all these examples is that there is flexibility in choosing a passphrase: not all examples will be equally memorable to you, even if they're information only you know. For some people, a list of items they love with unexpected characters thrown in will be a perfectly easy passphrase for them to create and remember; other people may need spaces between words or a funny phrase to help them create and remember a passphrase. In other words, you may have trouble remembering "Zelda Katamari MGS3#" but not "Bullriding at a Taxidermy Convention?!" Allowing for the principles listed in this document, what makes a good passphrase depends partly on you.
Using the same password or passphrase (where applicable) for multiple services is very dangerous because if it is stolen from one service, hackers can use it to access all your other accounts. You should consider what the password or passphrase is protecting when choosing a password/passphrase. Some services may not require as secure a password or passphrase if they do not contain any private information. If you are unsure, always opt to use a different password or passphrase. It is also very difficult to memorize all of the various passwords. Consider using a password or passphrase manager, such as Password Safe or LastPass to help manage multiple passwords/passphrases. However, you should carefully consider whether or not you want to store passwords and passphrases for financial institutions with a password or passphrase manager.
For less important passwords or passphrases (where applicable), you can use different iterations of the same basic password. For example, the password above, M'sCMh8196wii! could become nM'sCMh8196wii!NYt for a New York Times account “NYt” added after the core and “n” added before for “news” and However, the passwords or passphrases protecting your most sensitive information should always be completely different from other passwords or passphrases.
Never give out your password or passphrase online or over the phone to others. Email and phone requests for your password or passphrase and other private information are phishing scams. University administrators or reputable companies, such as your bank or credit card company will never request this kind of information through email, fax, or phone.
Don't even share your passwords with friends or family members. Especially do not give them your CNet password or paspshrase to gain access to any UChicago service, such as the VPN (virtual private network) or the wireless networks on campus. This is a violation of the Eligibility Acceptable Use Policy (EAUP). Instead, give your guest a temporary password or passphrase through the UChicago Guest Network.
Your password/passphrase is like your signature; giving it out to others amounts to giving them the authority to sign your name, which makes you responsible for all activities associated with your account.
As a convenience, hotels, restaurants, and businesses often offer public internet access. Please use this access with care, and avoid accessing confidential information, such as financial data using these networks. Hackers often target these networks to obtain confidential information for financial gain. Whenever possible, use the UChicago VPN (cVPN) to carry out University business, as an added layer of protection. Still, hackers may be able to access your username, password or passphrase, and other private information by tracking your keystrokes remotely.
The longer you’ve used a password or passphrase, the more likely it is that someone has managed to figure it out. Change your passwords or passphrases regularly, such as once a year. Password protecting the most confidential information should be changed more frequently than others. To change your CNet password or passphrase, visit http://cnet.uchicago.edu.
Many web browsers and email clients offer to store your password or passphrases (where applicable). This is not the best idea and should only be done with care. Never store passwords or passphrases associated with important services, such as financial accounts. Computer viruses and spyware programs can easily retrieve stored passwords or passphrases from these accounts. They may even be able to distribute your passwords or passphrases before you notice that anything is wrong.
The sole exception to this is what we'll call "throwaway passwords." Throwaway passwords are passwords or passphrases for accounts that you do not care about and which DO NOT contain sensitive information, such as credit card information, medical history, phone records, etc. A throwaway password might be one of several passwords you reuse for services or applications you rarely visit, which you don't care about being cracked by hackers and which do not contain confidential data.
For example, the names of the street you grew up on, your Harry Potter blog, the states you lived in, your obsession with making homemade canned goods on Pinterest, your likes on Facebook, and relatives' names can all be easily found online, and some websites are devoted solely to compiling biographical information about you, like MyLife.
If you need to write down your password or passphrase temporarily or access it from a written source, please store it in safe place. Do not write your passwords or passphrases down and place them under your keyboard or an unlocked drawer. If you must write them down, consider leaving out some of the easily remembered characters, and insert them when typing them in. Destroy the paper once you have memorized the passwords or passphrases.
Here are some tips for safely storing a hard copy of your password:
Departments can store a sealed package of passwords or passphrases in a fireproof safe with IT Security. Only pre-designated parties will be able to retrieve the sealed package. For more information about this free service, see Password Escrow.
A final note: to strengthen your account security, ITS strongly encourages users to consider opting in to 2Factor Authentication (2FA). 2Factor Authentication (2FA) enhances the security of your CNetID by using your phone, tablet or other device to verify that you are really you when you attempt to access University applications. This prevents anyone but you from using your account to log in to websites like MyUChicago, even if they know your CNetID password or passphrase.
More information about 2FA and how to use it may be found in the "2Factor Authentication (2FA) - Overview" and in the "2Factor Authentication (2FA)- FAQ."
For other security tips, visit our Safe Computing site.