Password FAQ

How do I change my password?

Go to

Why are there length and complexity rules for passwords?

For rules and examples, go to:

For details, read on below.

The tools now available to people who may try to break into our systems by defeating user passwords make it possible to defeat passwords that are too simple or too short with a minimal investment of time and/or money. Having a 15 character passphrase provides sufficient complexity due to length; if you choose a shorter password, we enforce more complexity to ensure security. [Technical explanation]

Because all Carleton passwords protect confidential academic, personal, and/or financial data, we must maintain an appropriate level of security for these passwords. Requiring either a 15 character passphrase, or a shorter, more complex password, provides a necessary minimal level of protection.

Why do I have to use the password changing page for all future changes?

When you change your password with the password changing page, it actually performs a couple of different steps to make sure that you have access to all network resources with the same password. If you change your password using some other mechanism, all of those steps won't get done, and you'll lose access to something; for instance, you might still be able to get your mail, but not get to your network folders. If you forget and use the wrong tool to change your password, just come to the password page and change it again.

Why does my password expire?

As more and more services are available through your account, the security of your password becomes more critical. For faculty and staff, someone with your password could modify student grades or alter budgets, or masquerade as you in a variety of different contexts. For students, your password gives access to all of your academic work and records, personal information, and everything else you do online. Clearly, you don't want anyone else to have your password

If someone does learn your password, you want to minimize the damage they can do. That's where expirations become important. If your password never expired, someone could secretly use your account for years without being discovered. By requiring you to change your password once a year, we balance the need for security with a high level of usability.

How can I choose secure passwords that I can remember?

The easiest way to choose a memorable password is to pick a short phrase or three or more words whose letters total 15 or more. Leave out the spaces between words, and you have something that's easy to remember and comfortable to type.

For more information on good and bad passwords, see the Password Tips page.

What do I do if I forget my password?

Your computing support provider can change your password, given appropriate proof of identity.

You can also define a set of challenge questions that you can use to reset a lost password on a self-service basis. You answer a series of questions now, and if you forget your password, those answers are used to verify your identity so that you can choose a new password.

Note: Staff in administrative departments that have access to sensitive information may not be able to use this service.

Define your challenge questions

Answer questions to reset a password

Why are you so worried about secure passwords? We haven't had any problems with passwords before, have we?

As explained above, your password protects sensitive information about you, other individuals at the College, and institutional processes and resources. With your username and password, anyone can look up personal information about you that you probably do not want to share. For example, many of our employees can see confidential information stored about them in our payroll database, such as birth date and Social Security Number. Students with work contracts can see bank account information associated with their paychecks. And some jobs on campus require access to confidential information for other Carleton community members.

ITS does not routinely publicize information about security breaches, but yes, we have had incidents caused by poor password security, and we believe it is important to do what we can to prevent such problems, and to update our password procedures as needed to guard against new threats.

May I let my email program and my browser save my password for me?

Please do not save your Carleton password in programs such as email or your browser. Many users who do this have significant problems when they change their passwords: the programs lock them out of their accounts by retrying their old password too many times. Even worse, if your computer ever got a virus or some spyware, your saved passwords are available to those programs too. If a browser can retrieve your saved password without your help, so can a virus.

In many circumstances, it is probably OK to have your browser save some of your passwords. You may not be exposed to much risk by storing your Yahoo! mail or NY Times online subscription passwords in your browser. Just consider all of the information being protected by a password before having it stored by a program.