Using Strong Passwords

Related Information

Managing Your Columbia UNI and Password
Multifactor Authentication (Duo)
CISA: Use Strong Passwords

In short:

  • Use a long, unique password or passphrase (16+ characters).
  • Never reuse passwords across accounts.
  • Always use multi-factor authentication (MFA) where available.
  • Use a reputable password manager to securely manage unique passwords.

Even the most secure systems rely on passwords for access. Automated attacks can test millions of password guesses per second, which makes short or reused passwords especially vulnerable.

The best defense is a strong password combined with multi-factor authentication (MFA). A strong password is primarily defined by its length and uniqueness, and may include numbers, uppercase letters, lowercase letters, and special characters. Longer passwords and passphrases are significantly harder to guess or crack, especially when combined with MFA. This ensures that all the hard work you put into keeping your machine well-defended does not go to waste.

Beginning in February 2020, CUIT shifted away from routine, time-based password changes for users who register to use Duo multi-factor authentication across CUIT web applications (e.g., LionMail, ARC, PAC, CourseWorks, RASCAL). This approach emphasizes strong, unique passwords combined with multi-factor authentication, while allowing for password updates when security or policy changes require them.

This change is based on password research, which shows that keeping a strong, unique password that you remember is more secure than using weaker passwords, writing them down, or reusing them and changing them frequently.

Of course, as passwords become longer and more random, they can be harder to remember. Using a mnemonic device or a strong passphrase made up of unrelated words or a memorable sentence can make this easier.

Remember: If you think there’s a chance that someone else has seen your password, change it immediately.

How To Change Your University Network ID (UNI) Password

Columbia University affiliates with a University Network ID (UNI) can change their password at any time:

Columbia University Password Requirements

What is a Strong Password?

A strong password is designed to be difficult to guess or crack, primarily through sufficient length and uniqueness.

Columbia University maintains the following password requirements:

  • A password must be between 16 and 64 characters long.
  • A password must include characters from at least three of the following categories:
    • Uppercase letters
    • Lowercase letters
    • Numbers
    • Special characters
  • Passwords of any length may not contain your first or last name.
  • A new password must be different from the previous five passwords used.

Helpful Tips

  • Longer passwords, often called passphrases, can be created using a phrase or sentence that is easy for you to remember but difficult for others to guess.
  • A short phrase made up of unrelated words or a memorable sentence is often easier to remember than a complex string of random characters, while still providing strong protection when it is long and unique.

Recommended Best Practices

  • Your account is your responsibility. Do not share your password with others, including technicians. CUIT staff will never ask for your password.
  • Avoid shared accounts where possible. Using your own account helps protect your access and reduces the risk of accidental or unauthorized activity.
  • Never reuse passwords between accounts. Using the same password on multiple sites greatly increases your exposure if one of those sites is breached.
  • Don’t use passphrases that contain personal information (such as your name, UNI, birthdays, pet names, phone numbers, or other public identifiers).
  • Require an additional, unique passcode to open sensitive apps (for example, app-specific passcodes for banking and financial applications).
  • Do not choose a password based on personal information that someone who knows you may be able to guess.
  • Avoid predictable substitutions (for example, replacing letters with numbers or symbols); length and randomness provide stronger protection.
  • Do not use your user ID (UNI), your name, or department name as your password.
  • Do not use your University ID (UNI) and password for access to third-party systems (e.g., online shopping, newspapers, travel websites).
  • Avoid typing passwords on untrusted networks or public Wi-Fi without a secure connection.
  • Use authenticator apps (e.g., Duo Security, Microsoft Authenticator) or hardware tokens (e.g., YubiKey) for as many accounts as possible to add stronger MFA.
  • Check whether your credentials have been compromised (e.g., https://haveibeenpwned.com) and prioritize changing passwords that have been exposed, especially on sensitive accounts.
  • Strong passwords do not protect against phishing; always verify links, senders, and login pages before entering credentials.
  • Keep your devices updated with the latest security patches, as compromised systems can expose even strong passwords.

It’s important to use different passwords for different systems. Because memorizing many strong, unique passwords can be difficult, using a reputable password manager is often the most secure and practical option.

Password breaches happen every day at websites and companies around the world. If you reuse passwords and even one site is compromised, every other account using that password is at risk.

Modern password managers use strong encryption and are significantly safer than reusing passwords or writing passwords down.

A password manager is a personal, encrypted database of your passwords and the sites or accounts they belong to. This database is protected by its own master password and, in many cases, additional security features such as multi-factor authentication. Password managers also help generate strong, random passwords.

Columbia University does not support or offer a password manager, but if you find a need for one, this is a non-exhaustive list of options you might consider:

KeePass
Pricing: Free, open-source
Features: Local-only, strongly encrypted, portable database file. Clients for Windows, macOS, Linux, iOS, and Android are available.

LastPass
Pricing: Free and paid tiers
Features: Cloud-based encrypted manager with support for encrypted notes, file storage, and MFA. Browser extensions and mobile apps available. Includes password generation tools.

1Password
Pricing: 30-day free trial; paid tiers thereafter
Features: Locally stored database with optional cloud sync. Browser extensions and mobile apps available. Includes strong password generation and MFA support.

Dashlane
Pricing: Free and paid tiers
Features: Cloud-based encrypted database with support for additional data types such as credit cards. Supports MFA, browser extensions, and mobile apps. Includes password generation tools.

Protecting Your Passwords

Never share your password with anyone, not even a relative or colleague. If another person has your password, they can, for all computer purposes, be you. At Columbia, this could include sending an email as you, gaining access to sensitive financial or health information, and changing where your paycheck goes. This is considered a serious policy violation and is not a safe practice anywhere.

Memorize your primary account passwords. For other accounts, a password manager is often the safest option.

If you absolutely must write down a password, keep the note with you or in a locked file, and do not write down the corresponding ID.