Compromised Password FAQ

Posted on by

What action do I need to take if I received a notification that my password is compromised?

Please note, you should never click a link within an email to update your password, but rather directly navigate to a trusted site by entering the URL directly into your internet browser if you have reason to believe your password has been compromised.

To be proactive and avoid automated reset, you should visit UConn’s NetID website to change your password.   NetID.uconn.edu is the University’s official website for updating your password and managing your digital identity.

Is my account compromised?

A password from a known compromised password list doesn’t necessarily mean that your account has been compromised, however it increases the likelihood that an account compromise could take place. If you have any reason to believe that someone other than yourself has at any time gained access to your account, please contact techsupport@uconn.edu/ 860-4864357.

How does ITS know my password is on a compromised list?

NetID passwords are stored securely which means that your password is generally not known to ITS. However, ITS has obtained a list of known compromised passwords from a reliable source. We use a method to match encrypted compromised passwords with our UConn encrypted passwords. Matches are considered compromised.

Why does this matter?

Cybercriminals obtain compromised password lists too and use brute force attacks, and other tactics, to gain access to accounts and systems.

What are password creation tips?

The easiest way to formulate a strong password is to create a passphrase (just a few words strung together) that meets UConn’s minimum length and complexity requirements (12 characters long and containing 3 of 4 categories: an upper case, lower case, number, and symbol).   Additional tips on developing passphrase are available at https://security.uconn.edu/set-a-passphrase/.

As a reminder, never use significant dates (e.g. birthdays, anniversaries), or names of people (or pets!) that you know.

If I use the same password on my personal accounts, I should change that as well?

Yes, cybercriminals know that people tend to reuse passwords, so they exploit this and try attacking whatever systems they can. You should update accounts where you have reused passwords?

Updating my passwords across accounts seems like a lot of work. Is there anything to make it easier?

IT Security highly recommends you store your passwords with a secure password manager, such as LastPass. Learn more about LastPass, including how to get free LastPass accounts, by visiting UConn’s knowledge base.

How do I know whether my new password is already on the public list as well?

You will not know for certain, but because our Password Standards improved in December of 2019 (longer and more complex requirements), your new password is less likely to be cracked if you were not meeting the new standard. ITS is working on creating a more automated process that checks public password lists against our directory.

I already use multifactor authentication, why should I bother improving my password?

Passwords are your first line of defense in protecting accounts and information. Multifactor authentication is your second line of defense. Because cybercriminals have also found ways to get past multifactor authentication, you want both defense strategies to be strong. You can learn more about multifactor attacks at https://security.uconn.edu/2023/03/13/duo-sound-the-alarm/.