Use multi-factor authentication
Using MFA can help keep your account secure even if your password is ever exposed. MFA is available now to all students, faculty and staff. For more information, see Multi-factor authentication.
Use a unique password for each account
Do not use the same password for more than one account. If your password for one account is ever compromised, hackers will attempt to use that password to access your other accounts. Whenever there is a breach of a third party service resulting in password exposure, hackers use those passwords to try to log in to Caltech user accounts. They will even use programs to automatically try different permutations of that password, including adding numbers to the end, changing capitalization, and substituting various characters. Make sure that all of your passwords are completely unique from one another.
Use long passwords or passphrases
In general, using a longer and more complex password makes your password more difficult to guess. Hackers routinely employ dictionaries of commonly used passwords when attempting to break into accounts. Using a combination of letters, numbers, and symbols can add complexity to your password, but the most important factor is length. A great practice is to make up a random sentence or collection of four or more random words to use as a passphrase. This has the benefit of complexity while also often being easier to remember than a string of letters, numbers, and symbols.
Consider using a password manager
A password manager is a tool that helps you securely store your passwords. When you use a password manager, you only need to remember one master password to access all of your saved passwords. This is a much safer practice than storing passwords in a document, web browser, or written on a sheet of paper. For more information see LastPass or Password managers.
Don't store your password someplace unsafe
Storing passwords in documents, web browsers, or written on paper is a bad practice and puts your password at risk of being exposed. Consider using a password manager.
Don't share your password with anybody
Sharing your access.caltech password is against Institute policy. Sharing your password makes it more likely to become exposed, and you may also be held responsible for actions taken by other people using your account. You should never give your password to anybody, including colleagues, parents, or anybody claiming to be a member of IMSS or the Help Desk. There are some specific situations in which access to certain Caltech online services can be delegated without sharing your password. Students can delegate access to CashNet to a parent or other bill-payer, see Adding authorized users to CashNet. Faculty/staff can delegate email and calendar access to a team member, see Delegating email and calendar access. If you have a need to delegate access that is not covered by these options, please ask Information Security about it by emailing firstname.lastname@example.org or opening an Information Security ticket at https://help.caltech.edu, rather than giving out your password.
Report a compromised password immediately
If you believe your password has been compromised, you should immediately change your password and also let Information Security know. Change your password by logging in to access.caltech and clicking the "Manage my password" link. Let Information Security know by emailing email@example.com opening an Information Security ticket at https://help.caltech.edu. It is important to let us know about this as soon as possible, so we can see whether there was any unauthorized access, immediately shut down any unauthorized access, and see if any other users were affected by the same attack.
IMSS will never ask you for your password
If you get a message claiming to be from a member of IMSS or the Help Desk and asking for your password, it is a scam. There is no circumstance in which IMSS or the Help Desk will ask you for your password. Do not give your password to anybody.