Duke's Password Policy, Password Managers, and Multifactor Authentication

Password Policy for Duke Accounts:

  • Passwords must be at least 12 characters and pass a basic complexity check.  How you create a complex password is up to you. There are no specific format requirements (such as special characters).
  • Passwords do not expire and most users do not need to change NetID passwords, unless compromised. Duke’s policy is in alignment with national standards that suggest short passwords, that are changed frequently, are less secure. 
    • Duke Health users and sponsored guests are not required to regularly update passwords associated with their Duke NetID, which is synced with all users’ Duke Health Enterprise (DHE) accounts.
  • The only method to update passwords is by visiting the OIT Account Self Service Portal. The option to update passwords using CTRL+ALT+Delete is not available.
    • Tip: If working remotely (at a non-Duke site) users should connect to the Duke Virtual Private Network (VPN) before updating passwords (Learn more about Duke University VPN and Duke Health VPN). 
  • Never use your Duke NetID and password when creating or updating login information on non-Duke systems.

Password Policy FAQs

There are no FAQ items to show.

Securing your password

  • Use a different password for each online account.
  • Don't share your NetID and password with anyone, including family members or system administrators. 
    • Students: You can give your parents proxy access to all or parts of your student record.
  • Use a password manager, like 1Password, to remember all of your passwords.

Secure Your Passwords with 1Password

Duke offers free password management services with 1Password

1Password Service Page

Multi-Factor Authentication

What is multi-factor authentication, and how to set it up via OIT

Multi-factor authentication, also referred to as advanced or two-factor authentication, provides an additional layer of security when logging in or performing transactions online. Multi-factor authentication is based on something you know (your password) and something you have (such as your phone or a hardware token like a Yubikey). If an attacker gets your password, they would still need access to that second “factor” to access your account. Duke offers multi-factor authentication (http://oit.duke.edu/mfa) that can be used to secure your NetID and access to various web applications at Duke.

Any Duke user can set up multi-factor authentication for their NetID and select which websites will use it. See https://oit.duke.edu/service/multi-factor-authentication/ for details.

Also consider taking advantage of multi-factor services provided by online vendors such as GoogleFacebookDropboxTwitterInstagramAppleMicrosoft, and many more. For an in depth overview of where you can apply additional security by enabling multifactor see the Two Factor Auth List.


Is your NetID locked? 

Accounts can be compromised several ways: virus infection, phishing, weak passwords and sharing passwords.

Duke monitors logs for suspicious activity on accounts, looking for unusual log-in patterns. If suspicious activity is found, they will lock the account. The user will then have to call the OIT Service Desk to pass a credential check and have the account unlocked.

To minimize your risk of a compromised account, check your online account regularly and use different passwords for your online accounts.

Additional Secure Access Resources