Skip to content Skip to navigation

SUNet ID Passwords

Introduction

One of the potentially weakest links in computer security is the individual password. Despite the University's efforts to keep hackers out of your personal files and away from Stanford-only resources (e.g., email, web files, licensed software), easily-guessed passwords are still a big problem.

Stanford implements a strict password checking system for SUNet IDs to combat this problem. Each time you open a new account or change (reset your password, the system will prevent you from setting a password that is easily cracked. 

In addition, Stanford now recommends "pass phrases" instead of passwords. Pass phrases are longer, but easier to remember than complex passwords, and if well-chosen can provide better protection against hackers.

People who work in organizations which are a part of the "Covered Entity" under HIPAA (Health Insurance Portability and Accountability Act) regulations are required to change their SUNet ID password every 6 months. Automated email notifications are sent to this population when it's time to set a new password.

Password rules

Stanford's password rules, based on password length, are:

  • 8-11: mixed case letters, numbers, & symbols
  • 12-15: mixed case letters & numbers
  • 16-19: mixed case letters
  • 20+: no restrictions
  • It must not be equal to your current password, previous passwords, SUNet ID, or password reset answer
  • It must not be a single word that appears in the dictionary (English or non-English)
  • It must be composed only of characters in the Roman alphabet, numbers, or symbols on the US keyboard. Examples include characters such as # $ % ! @.

Consider using four or more unrelated words with mixed capitalization, separated by punctuation or spaces. If you have trouble remembering a longer password, write it down on a piece of paper, put the paper in your wallet, and use the same caution with it as you would with a credit card.

Creating a pass phrase

A pass phrase is basically just a series of words, which can include spaces, that you employ instead of a single pass "word." Pass phrases should be at least 16 to 25 characters in length (spaces count as characters), but no less. Longer is better because, though pass phrases look simple, the increased length provides so many possible permutations that a standard password-cracking program will not be effective. It is always a good thing to disguise that simplicity by throwing in elements of weirdness, nonsense, or randomness. Here, for example, are a couple pass phrase candidates:

  • pizza with crispy spaniels
  • mangled persimmon therapy

Punctuate and capitalize your phrase:

  • Pizza with crispy Spaniels!
  • mangled Persimmon Therapy?

Toss in a few numbers or symbols from the top row of the keyboard, plus some deliberately misspelled words, and you'll create an almost unguessable key to your account:

  • Pizza w/ 6 krispy Spaniels!
  • mangl3d Persimmon Th3rapy?

How to change or reset your password

Stanford's computing infrastructure offers different methods for changing your password or retrieving a lt password.

Change your password through the Accounts page

  1. Point your browser to accounts.stanford.edu.
  2. If prompted, enter your credentials in the Network Identity Manager or on the WebLogin page.
  3. On the Accounts page, click Manage.
  4. Click Change password.
  5. Type your current password in the Current Password field.
  6. Type your new password in the New Password field.
  7. Type your new password again in the Re-enter New Password field.
  8. Click Save.
  9. For security purposes, quit your browser completely.

Change your password through the StanfordYou page

  1. Point your browser to stanfordyou.stanford.edu.
  2. If the WebLogin page opens, enter your SUNet ID and Password and click Login.
  3. Click Change your SUNet ID password. The Stanford Accounts page opens.
  4. Type your current password in the Current Password field.
  5. Type your new password in the New Password field.
  6. Type your new password again in the Re-enter New Password field.
  7. Click Save.
  8. For security purposes, quit your browser completely.

Change your password through the WebLogin Password Change page

  1. Point your browser to weblogin.stanford.edu/pwchange.
  2. Type your SUNet ID in the SUNet ID field.
  3. Type your current password in the Enter your current password field.
  4. Type your new password in the Enter the new password you want field.
  5. Type your new password again in the Enter it again field.
  6. Click Change Password.
  7. For security purposes, quit your browser completely.

Change your password using the command line

  1. Log on to any Unix workstation.
  2. After logging on, type kpasswd sunetid@stanford.edu at the system prompt.
  3. Enter your old (current) password when prompted.
  4. Enter your new (proposed) password when prompted.

Reset your forgotten password

If you have forgotten your SUNet ID password, you can reset it. This is not the same as changing your password (above). This procedure is for when you have a SUNet ID, but you don't remember your password. You will need your SUNet ID, University ID number, Social Security number, and the answer to your "personal fact" question.

  1. Point your browser to accounts.stanford.edu.
  2. On the Accounts page, click Forgot Password?
  3. On the Enter your SUNet ID page, type your SUNet ID. Click Continue.
  4. On the Verify Identity page, enter your personal information: last name, University ID number, last four digits of your Social Security Number, date of birth, and the answer to your password reset question. Click Continue.
    Note: If you cannot provide all of the requested information, click Cancel and then submit a HelpSU request or call 650-725-4357 (5-HELP).
  5. On the Choose your password page, type and confirm your new password. Click Continue. Your password has been changed.
  6. For security purposes, quit your browser completely.

What the system looks for

Dictionary words

The password-checking system screens all passwords against its own large dictionary of over 63 million English and non-English common words, common passwords, passwords that have been leaked by various compromises, and other passwords that attackers may be able to guess.

Last modified October 17, 2016