Change Your NetID Password
About a dozen people in CLASSE must change the password associated with their Cornell
NetID before April 2nd.
Everyone should make a practice of changing all of their passwords regularly. When passwords have been compromised, often it will be quite some time before the perpetrators try to take advantage of them. A changed password can prevent such problems before they start.
Message from CIT to campus computer groups
Date: Tue, 07 Feb 2012 21:39:59 +0000
From: Information Technologies Special Bulletins
Subject:
NetID password changes for audit compliance
To address a security concern identified by the University Audit Office, CIT is working with IT Security liaisons and IT directors to contact approximately 2,000 individuals whose
NetID passwords need to be changed by April 2.
Individuals with affected
NetIDs will need to use the university's "Change Your Password" tool (
https://netid.cornell.edu ). If no action istaken, the
NetID password will be scrambled on April 3.
This action is necessary to ensure that the
NetID and password pair for active faculty, staff, and students meets a minimum level of encryption, Triple Data Encryption Standard (3DES) or above.
To minimize the impression of phishing, we are collaborating with IT Security liaisons to provide guidance and support for each unit. If no security liaison is available, we are working with the IT Director for the affected individual. If no IT Director is available, the affected user is being contacted directly with instructions to contact the HelpDesk should they have any questions.
Individuals will receive their first notification this week. Several scheduled reminders will be sent prior to the password scrambling.
There will be a checkpoint during the week of March 19 to review the list of people who have not yet changed their passwords to determine whether additional measures are required to avoid an interruption in access to services for any of the individuals in the group.
Template message from CIT to individuals
Subj: Required change for your Cornell
NetID
At the recommendation of the Cornell University Audit Office, Cornell Information Technologies (CIT) will be increasing the security level for the system that protects the university's
NetID's. Unfortunately, your Cornell
NetID was flagged as not meeting the requirements for that system, based on the date of the last password change.
To continue using your Cornell
NetID, you must take the following action by April 2. Any password not changed by April 2 will be scrambled on April 3 to ensure the security of the system:
Go to Cornell University's "Change Your Password" tool at
https://netid.cornell.edu<https://netid.cornell.edu/ and select a new pas
sword for your Cornell
NetID.This is the only action you need to take.
Notes:
For tips on choosing a new password, please see:
http://www.cit.cornell.edu/security/identity/passwords/strong.cfm
If you have forgotten your Cornell
NetID password and have previously set security questions go to "Forgot your Password" at:
https://netid.cornell.edu/
If you have forgotten your password and have not set your security questions or if you need help changing your password, contact the CIT HelpDesk (
helpdesk@cornell.edu or 607 255-8990).
Questions or concerns?
Messages about passwords can, and should, seem suspicious. Here are two ways you can confirm that this is indeed a legitimate request from Cornell University:
(1) Check the university's "Verified Cornell Communications" page to see a copy of this message (
http://www.it.cornell.edu/security/safety/verified.cfm). You'll need to log in with your Cornell
NetID and password.
(2) Contact the CIT HelpDesk to verify you are on the list of recipients for this message, and to receive help changing your password (
helpdesk@cornell.edu or 607 255-8990).
Frequently Asked Questions
- Does this issue relate to password complexity?
The encryption issue is not related in any way to password complexity. All staff should already have a complex password as a result of previous initiatives. This issue has to do specifically with the strength of the encryption algorithm used to store the password, regardless of the plain text characters in the password. Individuals who last changed their passwords before CIT implemented the stronger encryption mechanism will appear on the list of those required to change the password now.
- Can the password change be automated?
The process to modify the encryption level for the affected
NetIDs cannot be automated since this would require access to the plain
text password. The
NetID repository itself is designed to resist the extraction of the password in plain text form.
- Can I use the same password?
While we could argue that occasionally changing your
NetID password is a good general practice, you can use the same password by changing it once to something different and then changing it again back to the original string.