Changing Your Password
Your password can be set or changed on any of the CAC login nodes. The password will be updated on all CAC resources. After you set or change your password,
additional steps must be taken for batch and for using MPI. Passwords expire every six months. Do not share your password.
In this document:
Rules for Creating Passwords
Do not share your password. Each user should be the only one to know the password for his or her account. Well-chosen passwords are essential to preserve the integrity of the system and individual user accounts. Never leave your password in plain text (unencrypted) in any of your files. Passwords stored in this way are easily stolen.
When you change your password, the new password must comply with our password complexity policy:
- Each password must have at least eight characters.
- Each password must contain at least three of the following four elements among its first eight characters:
- uppercase letters (English, A through Z)
- lowercase letters (English, a through z)
- special characters (for example, !, $, #, %)
- digits (0 through 9)
- Do not use a space in a password. A space will cause the command used to register your password with the batch system to fail and you will not be able to run batch jobs.
- Do not form a password by appending a digit to a word--this type of password is easily guessed.
- Each password must differ from the user's login name and any permutation of that login name. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
- New passwords should differ from the old by at least three characters.
If you need additional ideas for creating a new password, please see http://online.securityfocus.com/infocus/1554/. Items 2, 4 and 8 are useful tips for creating strong passwords.
Changing a Password at First Login
When you are issued a login id, you should first logon to a CAC Login node
(winlogin1.tc.cornell.edu, winlogin2, linuxlogin1.tc.cornell.edu, or linuxlogin2).
You will be prompted to change your password. Refer to the Rules for Creating Passwords.
After you change your password, you will be logged in.
See example in linux or windows.
If you plan to use the batch system or MPI, follow the instructions associated with After Changing a Password.
Note for Windows: Using SSH to login to the Windows login nodes will not prompt you to change your password if it's new
or expired; for Windows in order to see these messages you must use a Remote Desktop Connection (Terminal Services Client).
Changing a Password After it Expires
Your password will expire after six months or 185 days. About a week before your password expires, you will be asked if you want to change it. You can do it then or wait until it expires. If your password has expired, you will be prompted to change it, consistent with the Rules for Creating Passwords.
Be sure that you have no other open connections to any CAC resources:
- The only open interactive session should be the one in which you are changing the password. Failure to do so will lead to the system locking your account. Disconnecting is not enough.
- Log off all other sessions connected to login nodes.
- Log off all remote connections to other CAC machines.
- Disconnect locally mapped drives to the CAC file server. If you do not do this, the system will automatically lock your account.
After you change your password, you will be logged in.
See example in linux or windows.
If you plan to use the batch system or MPI, follow the instructions associated with After Changing Your Password.
Changing a Password at Any Time
You can change your CAC password before it expires. You will want to do so if you feel that your password
has been compromised in any way. For example, suppose you think that someone else knows your password
or you are concerned that you issued your password in a nonsecure setting that would have led to sending it in clear text.
Log in to one of the CAC Login nodes using Remote Desktop Connection (Terminal Services Client) for winlogin1 or winlogin2 or an SSH
client for linuxlogin1 or linuxlogin2. Be sure that you have no other open connections to any CAC resources as discussed in the previous section.
Windows: Issue the following key sequence, in order, holding down all keys until the sequence is complete: Ctrl Alt Delete. This will bring up a Windows Security screen. Select Change Password... and follow the instructions.
Linux: Issue the command passwd and follow the instructions.
After you change your password, you will be logged in.
If you plan to use the batch system or MPI, follow the instructions associated with After Changing Your Password.
After Changing a Password
Windows: After each password change:
- register your password with the batch system by issuing vsched -pa from winlogin1 or winlogin2
- register your MPI/Pro password by issuing mpipasswd from winlogin1 or winlogin2,
which creates an encrypted file required by MPI/Pro.
Linux: After each password change:
Note: If your password expires or is changed during a batch run, startup of MPI processes will fail if these steps are not completed.
Password Expiration Date
To see when your password expires:
Windows: Open a command prompt window on a login node, then issue the command
net user <your login id> /domain
and look for the line "Password expires".
Linux: There is no equivalent on the linux login nodes.
Locked Accounts
There have been instances in which user accounts have been locked. Some common causes of locked accounts and the solutions are:
-
Mistyping your password several times in a row.
Solution: Wait about a 1/2 hour and then try again. Be sure that your caps lock key is not on!
-
Trying to login to a Windows login node by using SSH when you have a new or expired password.
Solution: Login to a Windows login node using Remote Desktop Connection or SSH to a linux login node.
-
Failing to log off all other sessions connected to login nodes.
Solution: Log off all remote connections. Disconnecting the sessions is not enough.
-
Failing to disconnect locally mapped drives to the CAC file server before changing your password.
Solution: Disconnect all locally mapped drives, wait a 1/2 hour until account is unlocked, and then re-map the drive with the new password.
If you can't log on or can't wait: Send email to help.
Linux Example
Assume that you have an old password, 0ldpassw0rd!! and a new password, newpassw0rd!!. Here is what should happen:
ssh your_username@linuxlogin2.tc.cornell.edu
Password: (ENTER 0ldpassw0rd!!)
WARNING: Your password has expired.
You must change your password now and login again!
Changing password for user your_username.
Kerberos 5 Password: (ENTER 0ldpassw0rd!!)
New UNIX password: (ENTER newpassw0rd!!)
Retype new UNIX password: (ENTER newpassw0rd!!)
passwd: all authentication tokens updated successfully.
Connection to linuxlogin2 closed.
If you get a token error it very likely means that the password is not complex enough. Your password must be a mix of any three of the following: lower case letters, upper case letters, numbers and some sort of punctuation to create an 8 character or longer password (it is slightly more complex; don't use your user name or previous password - more info was above).
If you have additional trouble, you can rdesktop or the remote desktop client to the windows login nodes, winlogin1.tc.cornell.edu or winlogin2.tc.cornell.edu. They give better information about password complexity issues during the password change.
Windows Example
Assume that you have an old password, 0ldpassw0rd!! and a new password, newpassw0rd!!. Here is what should happen:
Use Remote Desktop Connect or a Terminal services client to connect to winlogin1.tc.cornell.edu (or winlogin2). If this is your first login,
you will be prompted to change your password. If it is not your first login, choose
Start | Windows Security | Change Password
Then in the interface, enter:
Old Password: 0ldpassw0rd!!
New Password: newpassw0rd!!
Confirm New Password: newpassw0rd!!
Help
Please contact the CAC consultants
via email.
