UCAS Passwords are necessary to access some internal UCAR systems, but not for accessing the NCAR supercomputers and other resources that CISL manages.
Authorized personnel can request UCAS Passwords for users via the Admin tab in the UCAR People Search portal. If you already have an authentication token (a YubiKey token or a CRYPTOCard keypad), you can create or reset your UCAS Password at https://kcreate.ucar.edu. You will be assigned a temporary passphrase, which you will then change at https://kpasswd.ucar.edu.
A strong password is the first line of defense for an individual computer user's account. This document provides the information you need to help keep your account and NCAR computers secure.
Good passwords should:
- Be memorized
- Be at least eight characters long (longer is stronger)
- Contain both upper-case and lower-case characters
- Contain at least three non-alphabetic characters
Good passwords should not contain:
- A dictionary word in any language
- Personally identifiable information such as a name, a login name, part of an email address, a phone number, a date of birth, a license plate, a Social Security number, or similar data
- Any of the above spelled backwards
- Any of the above with numbers exchanged for letters or vice versa
- Any of the above with numbers or special characters appended or prepended
For example, the following are equally ineffective:
Hackers are well aware of all these tricks and can easily break such passwords.
You can create a strong and memorable passphrase by building a phrase or sentence that is known only to you by using multiple words and both upper- and lower-case letters, with some punctuation and numbers. Longer is stronger. Many people find shocking nonsense phrases that they would never say fairly easy to remember, as opposed to a shorter acronym.
Here are two non-shocking examples:
Note 1: Since the passwords shown here are in a public document, do not use any of them for your personal password.
Note 2: We avoided blanks and single quotes in the above passphrases, because those two characters are problematic with passphrases on some systems.
Please keep your passphrase private. Do not share it with anyone. Do not write it down where it can be found by others or identified as your passphrase for UCAR. If you find it absolutely necessary to write something down, do not write the phrase itself, but rather a hint which will remind only you of the passphrase. Do this on a card with no other info about where it applies (in case the card is stolen), and keep it safe. Good places are in a wallet or home fireproof safe.
How do I change my password or passphrase?
The safest place to change your passphrase is on your UCAR workstation if you have one, or on the first UCAR host you normally log into.
If necessary, you can change your password on a central UCAR Kerberos familiarization host or web site.
I use a command line host as my workstation or as the first UCAR host I log into
To change your password on a UCAR command line host, you will run either of the following commands:
It will ask you for your old password, request the new one, and finally ask you confirm the new one to avoid potential problems caused by typos.
If you are asked on a UCAR host for the old password for username@CIT.UCAR.EDU, username@MIT.EDU, or some other realm instead of UCAR.EDU, you can start over and specify UCAR this way: kpasswd username@UCAR.EDU.
If you are connecting from outside UCAR, or you do not know which of your division's hosts to use for the password change, you can ssh to our familiarization and password change system, kpasswd-ssh.ucar.edu. This replaces the old password.ucar.edu system formerly used for the same purpose.
These are the ssh key fingerprints for kpasswd-ssh.ucar.edu, for use when you connect from a host that does not have a copy of the canonical UCAR ssh known hosts file:
1024 5a:15:e6:01:53:26:fc:46:3f:89:04:d6:20:0c:0d:d3 (DSA)
2048 8b:00:7a:98:ed:1b:e3:32:cd:09:eb:ba:f8:a9:e0:d3 (RSA)
I use a Mac on the UCAR LAN as my workstation
The easiest way is to run the Kerberos (Mac OS X 10.5) or Ticket Viewer (Mac OS X 10.6) applications your sysadmins may have made visible for you. It will ask you for your old password, request the new one, and finally request you confirm the new one to avoid potential problems caused by typos.
Otherwise, run the Terminal application, use it to log in to your normal divisional command line host or passwd.ucar.edu, and follow the command line host instructions above.
I use MS Windows on the UCAR LAN as my workstation
The easiest way is to run the Network Identity Manager or Leash application your sysadmins may have installed for you. Click on the password change button, or select the password change menu item. It will ask you for your old password, request the new one, and finally request you confirm the new one to avoid potential problems caused by typos.
Otherwise, run your ssh client (typically putty.exe or VanDyke Secure CRT), use it to log in to your normal divisional command line host or kpasswd.ucar.edu, and follow the command line host instructions above.
I use a web browser
If you do not have the ability to change your passphrase on your workstation or on a system you normally log in to, then you should use the https://kpasswd.ucar.edu/ web form to change your passphrase.
How do I log in?
Your UCAS Password login will continue to work in the same places as before. You'll just use the new UCAS Password you set or received in place of your old one.
The first time you use your password after creating or resetting it, you will need to change it to one only you know.
I've forgotten my password. How do I reset it?
If you ever need or want to reset your password, and you have a UCAS token (a CRYPTOCard or Yubikey issued by UCAR), you can visit https://kreset.ucar.edu/ at any time, without having to wait.
If you do not have a UCAS token, you should contact your group's help desk or sysadmins for an assisted reset.
How do I take full advantage of Kerberos?
I use a command line host
After you authenticate and get your master ticket, Kerberos V uses secure service tickets to transparently log you in to additional resources. You should be aware of just four basic commands.
Start with this one. This is the command you use to authenticate and get your initial ticket. It is often called transparently by your login dialog box, your screen saver unlock, and the like.
This is the command you use to change your passphrase. (Some systems use passwd -K for the same job.) It is sometimes called transparently for you by kinit when your passphrase has expired.
This is the command you use to list your tickets. You'll see your master Ticket Granting Ticket, and perhaps other service tickets for LDAP, ftp, and the like for resources Kerberos has transparently logged you in to use.
This is the command you use to remove your tickets when you're done with them. They'll expire on their own, but if you're finished for the day, it's a good idea to nuke them early. It is often called transparently when you log out from a system.
I use a Mac OS workstation
Run the Kerberos (Mac OS X 10.6) or Ticket Viewer (Mac OS X 10.6) application your sysadmins may have made visible to you. You can use this application to manage your Kerberos tickets use for login to Kerberized UCAR services.
I use an MS Windows workstation
Run the Network Identity Manager or Leash application your sysadmins may have installed for you. You can use this application to manage your Kerberos tickets, and cause them to be made available for login to Kerberized UCAR services.
Some systems have character sensitivities in passphrases. Currently known failures are caused by spaces in passphrases used on the wireless web heartbeat system, and by single quotes in passphrases used on multiple web applications and some command line systems.
Wireless web heartbeat and spaces
The https://wireless.ucar.edu/ captive portal system does not work with spaces in passphrases. If you must have a space in your passphrase, use the SSH interface rather than the web heartbeat.
Applications and single quotes
Many web applications and some command line systems do not work with single-quote characters in passphrases. The simplest solution is to avoid using single-quote characters in passphrases.