Using Strong Passwords

No matter how many walls are placed around your machine, there is always a key for complete access: your password. There are countless programs that attempt to determine passwords, both by guessing common passwords and by randomly generating possibilities and trying them all, or a combination of the two.

The best defense is a strong password and multi-factor authentication. A strong password is a combination of numbers, uppercase letters, lowercase letters, and if possible, special characters (such as !@#$%^&,*). This makes the password nearly impossible to guess in a reasonable amount of time, and ensures that all the hard work you put into keeping your machine well-defended does not go to waste. The longer the password, the harder it is to guess.

Beginning in February 2020, CUIT no longer requires you to change your UNI password periodically if you register to use Duo multifactor authentication across all CUIT web applications (e.g. LionMail, ARC, PAC, CourseWorks, RASCAL). This change is based on password research which found that keeping a strong, unique password that you remember is more secure than using weaker passwords, perhaps writing them down or reusing them, and then changing them frequently.

Of course, as passwords get closer to random numbers and letters, they also become more difficult to remember. That doesn't mean that you have to choose a weak password either. You can m15peLL w0Rdz intentionally, or use a mnemonic device like a strong passphrase.

Remember: If you think there's a chance that someone else has seen your password, make sure you change it immediately.

How To Change Your University Network ID (UNI) Password

Columbia University affiliates with a University Network ID (UNI) can change their password at any time:

Guidelines for Creating Strong Passwords

What is a Strong Password?

A strong password is designed to be complex and therefore difficult to guess or crack.

Columbia University maintains the following password requirements:
  • A password must be between 8 and 64 characters long
  • A password must have at least three of the following:
    • Uppercase letter
    • Lowercase letter
    • Number
    • Special character
  • A password less than 12 characters cannot contain common words or personal identifiers (name and UNI)
  • Passwords of any length may not contain your first or last name
  • To set a new password, it must be different from the previous five that were used

Helpful Tips

  • Longer passwords (or "passphrases") can be formed using a phrase or sentence. They are easy for you to remember, but difficult for others to guess.
  • A short phrase or sentence is often easier to remember.
  • If you use a phrase or sentence of at least 12 characters you can use dictionary words.

Other Important Password-Related Guidelines

  • Your account is your responsibility. Do not share your password with others, including technicians. CUIT staff will never ask for your password.
  • Do not choose a password that is based on personal information that someone who knows you may be able to guess.
  • Do not use your user ID (UNI) or your name/department name as your password.
  • Do not use your University ID (UNI) and password for access to third-party systems (e.g., online shopping, newspapers, travel websites).
  • Avoid letting software save or store your passwords. Not only will you increase the chance that someone will be able to access data on your computer or personal information, but you will be more likely to forget the password if you do not type it in regularly.
  • Always log out of programs or websites and close your browser (i.e., Internet Explorer, Firefox or Chrome) when you are done working, especially on public computers.
  • Protect your passwords and treat them as valuables.

Never share your password with anyone not even a relative or colleague. If another person has your password, they can, for all computer purposes, be you. This extends far beyond simply reading your email. At Columbia, this would include sending email as you, gaining access to sensitive financial or health information, and changing where your paycheck goes, and is considered a serious policy violation. But it's just not a smart thing to do anywhere.

It's very important to use different passwords for different systems. This limits the damage a malicious person can do should a password fall into the wrong hands. Everyone understands that it's nearly impossible to memorize a different strong password for each service you need to log in to. It's a good idea to have a set of four or five very strong passwords that you use on different systems.

Do everything you can to memorize your passwords, but if, for some reason, you absolutely must write down a password, always keep the note with you or in a locked file, and do not write down the corresponding ID.

Password breaches happen every day, at websites and companies all over the world, and they can impact you without you even realizing it. If you use the same password on multiple accounts and websites, and even one of those websites or accounts is hacked, stolen, or otherwise revealed, then every other site and account you used the same password on is at risk. The strongest password is not of much protection if you use it on every site.

Your best defense is to use a different password for every site and account you use.

That can quickly become unmanageable, considering how many different sites and accounts we sign into on a daily basis. It can be hard to remember one strong password, much less several dozen. 

In such cases, a password manager is a good tool to have in your arsenal. A password manager is a personal encrypted database of your passwords and the sites/accounts they belong to. This list is protected by it's own master password, and potentially other security features (such as two-factor authentication), and gives you a convenient and secure way to look up your passwords to sign into accounts.

Columbia University does not support or offer a password manager, but if you would find need for one, this is a non-exhaustive list of options you might consider.
  • Keepass
    • Pricing: Free, open-source program
    • Features: Local-only strongly-encrypted, portable database file. Clients for Windows, MacOS, Linux, iOS, and Android available
  • LastPass
    • Pricing: Free and paid tiers.
    • Features: Cloud-based encrypted manager with support for file storage, additional data types such as encrypted notes, and two-factor authentication (2FA). Plugins for all major browsers add auto-fill and auto-save capability, and smartphone apps for iOS and Android give you access on the go. Can help you generate strong, secure, random passwords.
  • 1Password
    • Pricing: 30-day free trial, paid tiers otherwise
    • Features: Locally-stored database with optional cloud-sync to their servers and/or your own cloud (Dropbox, iCloud, etc). Plugins for all major browsers add auto-fill and auto-save capability, and smartphone apps for iOS and Android give you access on the go. Can help you generate strong, secure, random passwords.
  • Dashlane
    • Pricing: Free and paid tiers
    • Features: Cloud-based encrypted database with support for additional data types such as credit cards. Supports two-factor authentication (2FA), and browser plugins for Chrome, Safari, and Firefox for full auto-fill and auto-save capability. iOS and Android apps available. Can help you generate strong, secure, random passwords.