This content is viewable by Everyone
Frequently asked questions
Frequently Asked Questions about UCSF password management.
Need help? Contact the IT Service Desk at 415-514-4100 or select the Get Password Help button in the corner of this page.
NOTE: The Password Virtual Assistant can only be accessed on password-related UCSF pages on the it.ucsf.edu site.
Consult these best practices when changing your password
It’s so hard to pick a password and remember it! Do you have any tips?
- It’s helpful to pick a password that you’ll remember, something like “w@term3lonShoes.”
Is the length requirement 12 or 15 characters?
- The requirement for elevated-access Active Directory (AD) accounts is 15 characters. The requirement for all other AD accounts is 12 characters.
Why is the password tool making me use 15 characters for my new password?
- Your account may have some extra access, which means it's considered an elevated account, which requires a minimum of 15 characters.
Can I use the same password across all my accounts?
- Passwords cannot be the same across accounts regardless of whether they’re standard or elevated-privilege accounts. After you change your password on one account, the tool will not accept the same password for your other accounts.
Why are we requiring a regular password change, especially when Duo is present?
While some research shows that frequent password changes actually can be detrimental to security, analysis shows that this is not the case for UCSF. Regular password changes are important to UCSF because:
- They make brute-force cracking less likely or impossible
- UCSF is a frequent target of “password spraying” and “credential stuffing” attacks. Changing passwords reduces the success rate of these attacks.
- UC frequently finds lists of stolen UCSF usernames and passwords on the dark web. Password changes reduce the value of these credential dumps to would-be attackers.
- Duo helps mitigate the risk of weak/stolen credentials, but it’s not applied universally to every system at UCSF.
- Password changes are a compliance and policy requirement (UCOP IS-3 Authentication Standard, HIPAA, PCI-DSS, partner contracts, etc.).
- Not having password changes is cited as a significant risk in third-party assessments of UCSF’s security.
- Reduces risk of credentials lost/stolen from applications which may use outdated or weak methods of securing passwords.
I keep getting locked out! What should I do?
- First, make sure you’ve enrolled in the password tool and downloaded the password mobile application on your mobile phone. You should be able to unlock your account in the tool.
- Second, think about other devices where you might have logged in with your old password. Contact the Service Desk at 415-514-4100 to have someone help you troubleshoot.
How do I know what devices I’ve logged into in the past?
- That’s a good question! Think about, for example: your phone, tablet, a presentation laptop and other mobile devices your department uses, your home computer. Check them all to be sure that none of the devices are connected to UCSF systems or applications.
What is the allowed number of failed login attempts before the password tool locks you out?
- Three failed password or security answer attempts will lock you out of the UCSF Password Management Tool, and you will need to call the IT Service Desk (415-514-4100) to have your profile unlocked.
Can a locked Active Directory (AD) account still log into the tool with a password, or are security questions required?
- A security question is required. However, note that neither security question nor password will work if the password-tool profile is locked.
What’s the difference between a locked Active Directory (AD) account and a locked password-tool profile?
- Locked AD accounts due to password failures will auto-unlock after 15 minutes of inactivity. A locked profile in the password tool will remain locked until the Service Desk unlocks it. The Hitachi ID mobile app will not circumvent a locked "password.ucsf.edu" profile.
Password management tool and mobile app
On the security questions page, when I click on "Reveal answers," nothing happens. Is this a bug?
- The Reveal answers button only works on answers you’ve just typed, not on previously stored answers. Once you submit the changes, the answers are encrypted and cannot be revealed. This button is a convenience feature to allow users to verify that they've typed what they thought they typed, since there is no answer verification process.
I’ve loaded the Hitachi ID Mobile Access app onto my phone, but sometimes when I open the app, it’s blank. What’s wrong?
- This is an odd quirk, but you shouldn't need to reload the app or re-register your device. Try tapping on another option besides Profiles at the bottom, then back and tap Profiles; it should reload.