Password Best Practices and Standards | Information Technology | University of Pittsburgh
!

You are here

Password Best Practices and Standards

Protect Your Password

Your University Computing Account username and password are your key to accessing a wide range of resources at Pitt. For faculty and staff, these resources include sensitive information such as your Pitt Worx pay statements, benefits open enrollment, TIAA-CREF retirement account details, and UPMC health plan information. In addition, your University Computing Account has access to other data that is regulated by the Family Educational Rights and Privacy Act (FERPA) and Gramm-Leach-Bliley (GLB) Act. You should never share your password with anyone, for any reason. By protecting your password, you also protect the important resources and data to which your password grants you access.

Pitt Information Technology uses a robust array of sophisticated security tools to protect University information. However, everyone affiliated with Pitt shares in the critical responsibility of protecting the University’s computing environment. It is against University policy 10-02-05University policy 10-02-06, and security best practices to share your username and password with anyone. If you need to delegate responsibility for password-protected functions to another person, please call the 24/7 IT Help Desk at 412-624-HELP (4357) to request assistance. Most of our enterprise services support this type of delegation. 

Keep in mind these important password tips: 

  • Create a strong password that combines eight to 14 letters, numbers, and special characters – in general, the longer the better!
  • Be sure to log out when you have finished using the My Pitt website or other computing resources that require you to log in with your password. It is also recommended that you close all browser windows and completely exit your web browser program when you have finished using the service.
  • Change your password regularly. Students, faculty, and staff are required to change their University Computing Account password at least every 180 days.
  • Remember that no one from any reputable organization, including the University of Pittsburgh, will ever ask you to divulge your password over the phone or in an email. If you are asked for your password in an email or over the phone, this is usually a sure sign of a phishing scam.
  • Scan your computer regularly with Antivirus and Anti-Malware (Malwarebytes) since some viruses and spyware programs can collect and transmit your account information. Learn more... 
  • If you have not already done so, set your Password Security Questions at the Accounts Self-Service page.

The following table illustrates the time it would take a hacker to brute-force crack your password for different types of characters as well as character count:

Time It Takes A Hacker To Brute Force Your Password

Number of Characters Numbers Only Lowercase Letters Upper and Lowercase Letters Numbers, Upper and Lowercase Letters Numbers, Upper and Lowercase Letters, Symbols
4 Instantly Instantly Instantly Instantly Instantly
5 Instantly Instantly Instantly Instantly Instantly
6 Instantly Instantly Instantly 1 sec 5 secs
7 Instantly Instantly 25 secs 1 min 6 mins
8 Instantly 5 secs 22 mins 1 hour 8 hours
9 Instantly 2 mins 19 hours 3 days 3 weeks
10 Instantly 58 min 1 month 7 months 5 years
11 2 secs 1 day 5 years 41 years 400 years
12 25 secs 3 weeks 300 years 2k years 34k years
13 4 mins 1 year 16k years 100k years 2m years
14 41 mins 51 years 800k years 9m years 200m years
15 6 hours 1k years 43m years 600m years 15bn years
16 2 days 34k years 2bn years 37bn years 1tn years
17 4 weeks 800k years 100bn years 2tn years 93tn years
18 9 months 23m years 6tn years 100tn years 7qd years
View the original image from which this table was created at Hive Systems.      Data sourced from HowSecureismyPassword.net.

Additional Password Information

All University students, faculty, and staff are required to change their University Computing Account password twice per year via the Accounts Self-Service page.

This important requirement enhances security and helps protect your data. It is one part of a larger, layered security strategy. Multiple security measures protect against hackers, phishing scams, malicious software, and myriad other threats to the University's computing environment.

Here is how the process works. You will be required to change your University Computing Account password at least once every 180 days. As you approach the 180 day limit for your current password, you will see Password Update and Security Questions windows. They will appear each time you log in to My Pitt, indicating how many days you have remaining to change your password. This information must be updated as requested by following the instructions on each page, or you could potentially be unable to access select services until this information is complete. The password cannot be re-used within a year, and you cannot reuse any of your previous six passwords.

Frequently Asked Questions

Frequently Asked Questions

Why am I required to change my password?

Your University Computing Account gives you access to many computing services at Pitt, including email, the Learning Management System (Canvas), and My Pitt. These systems may contain personal and sensitive information about you. Increasingly, malicious software and other methods such as "phishing" are being used to try to obtain your password. If someone acquires your password, they will gain unauthorized access to your computing account and University resources. Periodic password changes will help to safeguard your account.

How does the password change wizard work?

When you click the link in the yellow notification box, you will be asked to complete the following steps:

  1. Review your Emergency Notification Service (ENS) contact details and modify them if necessary.
  2. Review and, if necessary, modify your emergency contact information (students only).
  3. Review the three security questions you can use to reset your password online if you forget it. If you have never set your security questions, you will be required to do so before proceeding.
  4. Change your password.

Do I have to wait for the notification message to display before I can change my password?

No. You can change your password at any time. Log in to the Accounts Self-Service page to manage your password and security questions.

Keep in mind that if you change your password today, you can avoid seeing the notification message for another 180 days.

How do I pick a strong password?

The following requirements have been put in place to help you choose strong password:

  • Your new password must be eight to 14 characters long
  • Your new password must consist of some combination of letters and numbers and must also contain at least one special character (for example, +, @, #, or $)
  • The following special characters can NOT be used: _ ` < > & ! . ,
  • You cannot use your name, username, or any portion of these as your password
  • You cannot reuse the same password within a year, and you cannot reuse any of your previous six passwords

In addition, keep in mind that passwords that contain only letters and dictionary words are easier for someone to guess or for computer programs to decipher.

Tips for creating a strong password (video) >

How can I keep track of my different passwords?

Try a password manager like Pitt Password Manager (LastPass). Pitt Password Manager makes it easy to generate strong, unique passwords for every service you use, helping to protect your Pitt-related services, as well as your personal services.

It's important to use different passwords for your digital accounts. Your University Computing Account password, online banking passwords, and social media passwords should all be different. With so many passwords, it can be easy to forget them or mix them up along the way. Pitt Password Manager simplifies your online life by saving your passwords in a secure vault that you can access from any device, using a single, strong master password. You no longer have to remember unique passwords for every site you visit. Pitt Password Manager remembers them for you. 

Business accounts are recommended for storing and sharing your University-related passwords and information. Premium accounts are recommended for storing your personal passwords and information. You can link your Premium account to your Business account so that you can easily manage all of your passwords from one convenient interface.

What happens if I do not change my password before it expires?

If you do not change your password before that password expires, when you log in to My Pitt you will only see the password change wizard. As soon as you change your password, you will be able to use My Pitt normally again.

I'm having difficulty connecting to my email and to the network from my mobile phone after changing my password. What should I do?

It is possible that your phone has stored your previous password locally. You will need to update the old password that is stored on your phone so that it matches your new University Computing Account password.

I'm having difficulty connecting to PittNet Wi-Fi after changing my password. What should I do?

If you have difficulty connecting to PittNet Wi-Fi after changing your password, please follow the standard connection instructions. If you still cannot connect to PittNet Wi-Fi, contact the 24/7 IT Help Desk at 412-624-HELP (4357).

Will people with sponsored accounts be required to change their password every 180 days?

Yes. Anyone with a sponsored account will also be required to change his or her password at My Pitt every 180 days. Those with sponsored accounts will not be prompted to enter ENS information during the password change wizard.

It is strongly suggested that you change your password as soon as you receive your University Computing Account. You can do this at the Accounts Self-Service page.

Your new password:

  • Should consist of some combination of letters and numbers, and must include at least one special character (for example, +, @, #, or $)
  • Should not use your name, your username, or a portion of these
  • You cannot reuse the same password within a year, and you cannot reuse any of your previous six passwords

Setting Your Security Questions

Setting Your Security Questions

If you haven't already done so, be sure to select the three security questions and answers. They will be used to confirm your identity in the event you forget your password.

  1. Log in to the Accounts Self-Service page.
  2. Change your password under the "Login & Security" tab.
  3. Update your security questions under the same "Login & Security" tab (under the "Update Security Questions" secondary tab).

Once you have set your security questions, you do not need to change them the next time that you change your password.

Note: To enhance security and protect data, students will be required to change their University Computing Account password twice per year at the Accounts Self-Service page. A prompt will appear on My Pitt when it is time for you to change your password.

If you have difficulty connecting to PittNet Wi-Fi after changing your password, please follow the standard connection instructions

Reset Your Password if You Forget It

Reset Your Password if You Forget It

Students, faculty, and staff who forget their University Computing Account password can use the Self-Service Password Reset Service to reset their password online quickly and securely. You must select and answer three online security questions before you can use the Self-Service Password Reset Service. If you forget your password, you will be prompted to answer these security questions in order to verify your identity. If you forget your password and have not set your security questions, you will need to visit a Student Computing Lab to have your password reset.

There are several ways you can reset your password if you forget it

A. Reset Your Password–You Have Your Security Questions

Note: If you haven't already set your password security questions, you will need to use one of the methods below.

  1. Click the Forgot password? link on the login page of My Pitt.

    Forgot Password

  2. Enter your University Computing Account username and date of birth. Click Next.
  3. Answer your three security questions and click Next.
  4. Enter and confirm your new password, then click Submit.

Your password has been successfully reset.

B. Reset Your Password–You Do Not Have Your Security Questions

  1. Contact the 24/7 IT Help Desk by submitting an online request or calling 412-624-HELP (4357). The 24/7 IT Help Desk will ask specific questions to confirm your identity and will give you a new password over the phone only if you can answer these questions.
    or
  2. Pittsburgh campus only: Stop at a Student Computing Lab with a government-issued ID, such as a driver's license or passport. The lab monitor will verify your identity and call the 24/7 IT Help Desk at 412-624-HELP (4357), which will give you a new password over the phone.

Important Notes about Resetting Your Password

Important Notes about Resetting Your Password

  • If you call the 24/7 IT Help Desk, then your password will only be given to you by phone. It will not be sent by any electronic means (for example, email, instant message, or text message).
  • After your password has been reset, you should immediately change it. Access the "Login & Security" section of the Accounts Self-Service page using your University Computing Account username and the password.
  • Once logged in, follow the instructions on the page to manage your password and security questions. You will be prompted to select and answer three password security questions that will enable you to reset your password online.

Resetting Passwords for Sponsored Accounts

Resetting Passwords for Sponsored Accounts

If you have a sponsored account, you must ask your Responsibility Center Account Administrator or the account sponsor to contact the 24/7 IT Help Desk on your behalf. The 24/7 IT Help Desk will ask specific questions to verify the identity of the Responsibility Center Account Administrator or account sponsor. Then they will provide a new password to them over the phone. The Responsibility Center Account Administrator or account sponsor will then distribute the new password to you.