The object when choosing a password is to make it as difficult as possible for someone (or some computer program) to guess what you've chosen, yet...
NetID Password FAQ
Because your password may be stored in multiple locations or devices, before changing your password, you should identify the places where you may have your NetID and password stored. After changing your password, you should re-establish your new password in your identified locations.
Visit the passwords page for a comprehensive list of applications and systems that use NetID authentication.
You should change your password at least once per year. Depending on several factors, it may take up to 20 minutes for your new password to propagate through all the systems. If you use a Windows computer connected to the Yale domain, you may want to change your password right before heading out for a meeting, going to lunch or leaving the office for the day.
If you change your password annually, your NetID and password will remain active. Please select a good strong password and always choose a new one; please do not reuse old passwords no matter how long ago they were used.
- Activities at Yale increasingly involve electronic systems, including online courses, grades, financial aid, many Yale business systems, faculty and staff benefits, IRS reporting, and more. As custodians for IT security at Yale, ITS strives to pursue every prudent step to maintain the security and integrity of your own and Yale's electronic systems.
One critical layer of IT security is your personal password. This is not only a key to the security of your own account but to the security of the Yale community because most system-wide attacks begin with the compromise of an individual account. Like running virus protection, periodic password changes are basic security hygiene.
It can be disruptive to change passwords on a forced schedule, so, in the past, Yale has recommended a regular change and relied on individuals to do so voluntarily. A recent review of security risks highlighted the importance of password protection, and a review of password change statistics showed that few users were changing their passwords regularly. While our Yale passwords are protected in multiple layers, strong and regularly changed passwords are a critical component of our security.
Specific benefits from an annual required password change:
- Providing a regular reminder to individuals to manage their own identity and security: managing their password. While Yale's policies preclude sharing of passwords, there is evidence some individuals do so; a password change requirement provides a routine opportunity to reinforce that passwords are private --not for sharing.
- Improving the "strength of passwords" to make them harder to guess or otherwise compromise. ITS will continue to make changes that ensure that users select "strong" passwords, further reducing the risk of password compromise.
- Providing a periodic "reset" against existing or potential password compromises such as having shared a password in the past.
- Providing an annual audit allowing ITS to disable inactive NetIDs which otherwise could expose the Yale community to account compromise.
- ITS recognizes that it requires effort to choose and learn a new, stronger (and harder to remember) password. Some may be tempted to diminish the security of their new password by writing it down instead of memorizing it – please don't do that!
When considering an issue like this Yale must weigh the inconvenience against the benefits. Yale's overriding concern is with the security of personal information and University systems. IT security risks continue to increase so the value of this policy will rise correspondingly over time.
In an effort to increase campus information security, ITS is implementing a new process for managing passwords at Yale. All those who use a NetID and password to access services on the web through the ITS Central Authentication Service (CAS) will be prompted to change their password automatically once per year.
Passwords that consist only of letters, that are made from dictionary words or that are linked to your name, common names, date of birth, or other easily obtained information are easier for hackers to crack using commonly available hacking programs. Passwords that contain a combination of numbers, symbols, and upper and lower case letters are much harder to crack. Yale will require new passwords to be between 8 and 14 characters with at least two alphabetic characters and two numbers. See the guide to strong passwords.
A major cause of compromise is sharing your password. Please never share your NetID password with others.
Upon changing a password, there is a temptation to write down the new password – please memorize your new password as quickly as possible and don't leave any written copy especially not by your computer!
You will have 30 days from the 12 month deadline to change your password. After the 30 day grace period, the system will force you to change your password before gaining access to CAS-protected pages.
Yes. A number of programs can save your password so that you don't have to enter it each time you run the application. Keep in mind that applications where you have used this option will be remembering your old password, therefore, each of these applications will need to be updated. For example, in Eudora for Windows, if you have used the "Remember password for this personality" option, you'll need to click the "Forget Password(s)" command under the "Special" menu to clear the old password. The password clearing process will vary from application to application.
Users of mobile devices that have cached passwords for email and other systems must manually change their passwords on the devices immediately after changing their passwords in CAS. Failure to do so may result in account lockout problems. iPhone users must manually update their email passwords. Users of the Yale Blackberry Enterprise Server (BES) and GoodLink Messaging service (Good) are not affected for email passwords only. Any other cached passwords on mobile devices for CAS enabled systems must be changed manually.
Macintosh Specific Questions
No. If you are using a Macintosh computer and changed your NetID password via CAS, your local password does not change.
Your local password is your account password used to log on to your Mac when you boot your computer. It is also the password that you enter when you are installing software or any other time you might need to authenticate.
Good practice is to change your local password at this time.