Your NetID's password is the key to all the services your NetID can unlock. Having a strong password is essential to maintaining NetID account security. So, what makes a strong password? Three things: password length, differing character sets, and complexity.

The longer the password, the more difficult it will be to crack. UVM NetID passwords are required to be at least 12 characters long, but longer is better.
The more character sets used, the more secure the password. Different character sets include:

• upper case letters (A B C D)
• lower case letters (a b c d)
• numbers (1 2 3 4)
• punctuation or other symbols (! @ # $)

UVM NetID passwords require at least two different character sets, but more is better.

The more complex a password is, the more difficult to guess. Complex passwords are:

• not based on words found in the dictionary, in any language
• not words spelled backwards, common misspellings or abbreviations
• not sequences (12345678) or repeated characters (22222222)
• not common mathematic sequences and series like Fibonacci numbers, Pi, or prime numbers
• not keyboard layout sequences (QWERTYPOIU, qazwsxedc or similar)
• not dates like birthdays or anniversaries
• not personal information like names of friends, relatives, pets or children
• not another unique identifier like your Social Security Number, student ID number, bank PIN, driver's license number or passport number

An ideal password is one that is easy for you to remember, impossible for a human to guess, and more difficult for a computer to crack.

Phishing scams are a method of social engineering to get you to willingly divulge personal information like bank account numbers, credit card numbers and passwords. These scams often come in the form of an email pretending to be your bank, a credit bureau, or a UVM department or support team and ask you to "verify" or otherwise provide your account information. For more information on identifying phishing scams, check out our UVM Phishbowl.

UVM will never ask you to disclose your NetID password. Any email or message that asks you to provide your password in a non-login capacity is likely to be fraudulent.

ETS doesn’t license or endorse a particular password manager product or architecture, but we do think they're a great idea.

Password managers are primarily useful because they enable and encourage you to create strong, unique passwords without the burden of remembering them (or keeping them on a sticky note on their monitors). This is of special importance at UVM because a common source of security incidents is password reuse. People are extremely likely to reuse the same password in multiple places, including their NetID password, and often use their UVM email address as a username on 3rd party applications or websites. While we strongly discourage this practice, we know that it is common.

In 2018, a breach of a username/password database at a 3rd party tutoring and textbook resale website resulted in hundreds of compromised UVM NetIDs because students had signed up for the service with their UVM email address and used the same password as they did for their NetID – the attackers simply tested the passwords exposed in the breach against uvm.edu services because the username contained our domain.

By generating strong passwords and making it easier to use them in your browser than it is to remember them all, a password manager can help counter the temptation of easily cracked passwords and password reuse. Here are a few things to keep in mind when selecting one:

• Some password managers (such as LastPass) store your password vault in the cloud. It can be difficult to stay informed about the security of cloud services, but recent attention to these products has improved their security;
• Some password manages (such as KeePass) can be used to store the vault locally, which can provide some assurance about the security of your vault;
• In either case, be sure to use a strong master password, and only use the service if the master password recovery system utilizes multifactor authentication;
• A password manager’s browser plugin is fine to use, but avoid storing your passwords in the built-in password keeper that comes with many browsers;
• Be sure to use your password manager’s password generator function to create strong, unique passwords for each account; and
• NEVER use your NetID password for any other service, even if the username is not directly tied to a uvm.edu address.

Allowing others to know your password or use it to access UVM services compromises your NetID account and all the services it is used to access. Anyone who knows your password can log in to your class registration and transcripts, financial records, Blackboard course work, email and NetID account settings, all things to which only you should have access.

Similarly, you should never use your NetID credentials as login information to other non-UVM websites or services, such as Facebook, Google/GMail, Apple iCloud, Netflix, online banking, or any other of the thousands of online entities that require registration and login. Should these services becomes hacked or otherwise compromised, your NetID information becomes exposed and vulnerable.

UVM will never ask you to disclose your NetID password. Any email or message that asks you to provide your password in a non-login capacity is likely to be fraudulent. It is a violation of UVM's Computer and Network Use policy (PDF, Section 1.b) to disclose your password, and doing so may result in disciplinary action.

It may be tempting to use your NetID and password on a visiting friend or relative's computer so they can use UVM's Wi-Fi network, but allowing others to use the services of your NetID account (even if you didn't share the password) is a violation of UVM's Computer and Network Use Policy (PDF, Section 1.d).

See our Knowedge Base Article, UVM Guest Accounts, to learn how to sponsor a temporary guest account for your visitor to let friends and family use UVM's Wi-Fi network.