Onyen and Password FAQs

What is an Onyen?

Onyen is the name for UNC’s campus-wide identifier that you can use to gain access to various electronic resources on campus. Although it is a word, you can think of it as an acronym for the “Only Name You’ll Ever Need.” The distinctive name is intended to prevent confusion with the myriad other user ids that exist across campus. Several factors make it stand out from these other user identification schemes:

  • Onyens are the only electronic service keys available to all members of the campus community — faculty, staff, and students alike.
  • Every Onyen is associated with a particular person via his or her PID.
  • Each Onyen has its own password which can be used over secure connections for encrypted sessions to Web and other servers across campus.
  • Although Onyens are managed by one department Information Technology Services (ITS), they are available for use as authentication keys to any campus department or group which has to allocate resources to University affiliated people. Yet these groups are freed from having to administer the creation of user ids or the management of passwords.

With these factors in mind, Onyens represent a significant part of the commitment by ITS to provide equitable campus-wide access to a range of ITS and other services. As technology permits, Onyen based access will be used for an increasing number of services both within ITS and across campus.

The Onyen Policy document outlines the policies, standards and terms of agreement associated with Onyens.

UNC students, staff and faculty can use the Onyen Services home page to create and manage their Onyens, to subscribe to Onyen services, and use Onyen functions.  Please visit Creating an Onyen document for more detailed instructions on creating an onyen.

 

The following are Frequently Asked Questions about:

 

What are the support browsers for the Onyen Services Site?
Internet Explorer (IE, Version 9 – Current Version) Yes
Firefox (Version 23 – Current Version) Yes
Safari (Version 5 – Current Version) Yes
Chrome (Version 28 – Current Version) Yes

 

Onyen

How do I find my Onyen?


If you do not know or have forgotten your Onyen:

  • Open a web browser and go to the Onyen Services site and click the Forgotten Onyen? button.
  • You will then be prompted for your PID (UNC ID #) and your last name.
  • Enter the above and click the Continue button.
  • The resulting page will show you your Onyen (and other related information).
  • Additionally, if you can log into HeelMail or Campus Exchange, your user name used is your Onyen.


Can I get a temporary Onyen to administer a UNC web site for a department or an individual if I am not affiliated with UNC?


In order to create an Onyen, you must be affiliated with the University in some capacity. This is because a PID (Personal ID Number) and an active affiliation are required to create an Onyen. PIDs are managed by the PID Office.

Information about UNC affiliation, including a list of affiliation types, is available on the PID Office website. There is a procedure for contract employees that may solve this issue, but this requires that the sponsoring department contact the PID office. See the PID page for more details.

If the person does not meet any of the requirements on the PID page, then he will not be given a PID and will not be able to create an Onyen.

Onyen Password

Why is the Onyen Password Security important to me?


In most cases, your Onyen password is the only authentication method for many critical network services (see Password Change Checklist). Although it may seem extreme to have a complex password policy, the protection it affords campus computer systems and the identities of faculty, staff, and students is immeasurable. Many Onyen users have access to sensitive and private information such as financial, medical, or research information. Strict password requirements not only help to prevent unauthorized access to your e-mail and other files, but also to critical and confidential data. Therefore, even though it may seem inefficient to remember one new password every 90 days, it is vital to ensuring the protections of everyone’s important data. Imagine years of research data deleted or improperly modified because of a leaked or cracked password. The impact of such an event is unthinkable, and by enforcing a strict password policy this type of occurrence and other disasters may be prevented. The following are only a few examples of the damage that an attacker can perpetrate with your Onyen password:

  • affect your class registration
  • assume your identity
  • send fraudulent e-mails
  • access your address, phone number, full name, date of birth, etc.
  • change One Card account balances and other information
  • modify or delete classwork or personal files in AFS
  • register you for unwanted services
  • among others…

You are responsible for everything that occurs from your Onyen account. If your Onyen is used to commit a computer crime or violate University policy, in most cases you will be held responsible (see Onyen Policy, Terms of Agreement for Onyens).


How does requiring my password to change every 90 days, requiring the password complexity and disallowing previous passwords increase security?


Simply by changing your password by one character, you are effectively changing it completely. Each time a password is created, a one time algorithm, called a “salt” is generated that modifies the newly created password by per-mutating each character. This means that even if two users choose the same password, their password hashes (the way a password looks when it is encrypted) will be different by both the types and numbers of characters. This increases password strength exponentially since a password cracker cannot simply compare the two hashes and deduce that the passwords are the same. It will take substantially longer to crack the new password as well; by the time you change your password again (three months) the cracker would have to start all over again with a completely different password. Based on our current complexity requirements, it would take longer than 90 days.

In addition, the password system will prevent you from reusing any of your previous passwords. Any previous password used will be blocked for the period of one year. This ‘recycling’ of passwords presents many of the same security concerns caused by passwords that never change.


Remembering all my passwords is too complicated; I'm just going to write mine down!


Writing down your password in a public location exposes you to the dangers of identity theft and other abuses. Passwords exist to protect you and your information. Bypassing the protections offered to your account expose your personal information and is in direct violation of Onyen policy:

Access to computing and network resources granted through the issuing of a UNC Onyen may be used only by the specific individual to whom the Onyen is issued and may not be shared with other individuals (see Onyen Policy, Terms of Agreement for Onyens).

Even if you do not use your Onyen, if your password gets compromised an attacker can use your Onyen to assume your identity.

If you consistently have trouble remembering your password, and are often away from campus, you may want to consider setting up the Challenge-Response Questions for your account. Once you answer the questions you will have the ability to easily reset your password, even if you are away from campus.


Are all these password requirements really worth the trouble? I have too many passwords already to remember and all have different requirements!


Your private information is very important, and the dangers of identity theft should not be underestimated (see Identify Theft and Fraud). The password not only protects you, but also your department’s data. Many granting agencies, as well as some Federal and State regulations require best information security practices which include strict password policies.

State auditors require strong passwords along with the unfortunate inconvenience everyone with an Onyen endures when changing their password. Many computer systems have different password requirements depending on the age of the system, or the type of underlying authentication mechanism. The complexity requirements for the Onyen password are standard and are based on security best practices. These conditions were chosen to follow numerous other password requirements across campus (e.g. Microsoft Active Directory and Windows domains).


Do I Need to Change My Password if I Never Use My Onyen?


Click here for a list of sites that use the Onyen for access. If you do not use any of these services and therefore, you never use your Onyen, do not worry about the expired password. If you need access to these services in the future, your password will need to be changed at that time.

We recommend you setup the Challenge-Response Questions system so you may reset your own password, in case it is forgotten.


What if I don’t change my Onyen password before it expires?


If your Onyen password expires, you will be unable to access any services that uses the Onyen for authentication. A list of these services are located in the Password Change Checklist.

If you remember your password, you can reset it at the Onyen Services web site. To do so, you would click Manage Password and then enter the appropriate information (Onyen, current password, new password twice) in the four blanks and click Change Password. The new password must be at least 8 characters and contain at least 1 number and 1 symbol. If you do not remember your password, there is a PDF form available on the same page that you can fax for assistance in resetting your password.

As always, feel free to come to an ITS Response Center for assistance. The ITS Response Center, located in the basement of the R. B. House Undergraduate Library and SASB-South, is open at the hours listed here.


How should I choose a password?


Passwords are an important part of computer security. Your passwords should be changed regularly to protect you from identity theft and prevent unauthorized use of your personal information. You can see information on choosing a new Onyen password at the Onyen Services web site.

Because your password is your first line of defense against attack, it is imperative that you choose a strong password that cannot be easily cracked. This is especially important for administrator-level accounts. The System Administration, Network, and Security (SANS) Institute recommends certain guidelines for choosing an effective password.

  • Many computers set an eight-character minimum for your password length. Even if yours doesn’t it’s good to meet this recommendation. The longer your password, the more secure it will be.
  • Always use a combination of upper- and lower-case letters and include special characters such as ‘~!@#$%^&*()-_=+{[]}\|`”;:,/?.
  • Do not base your password on any items of personal information (e.g. PID, Social Security number, street address, birthdays, names of family members, etc.).
  • Do not attempt substitutions of numbers or characters that look like the letter they replace (e.g. C@R0L!N@ for CAROLINA); sophisticated password-cracking programs try these combinations as well.
  • For stronger passwords, avoid words or combinations of words that could be found in an English dictionary, such as “ChapelHill”.
  • For best passwords, experts recommend acronyms for unusual phrases that you invent. An example would be the password “~2myuT$!” for “About 2 more years until Tenure $alary!”
  • Change your password often, and do not write it down anywhere close to your computer.
  • Do not share passwords with anyone. All passwords should be treated as sensitive, confidential information.

Here are some don’ts:

  • Don’t reveal a password over the phone to ANYONE, including computer support personnel. Support personnel should never initiate a call requesting a password.
  • Don’t reveal a password in an email message.
  • Don’t reveal or talk about a password to anyone, including co-workers or family members.
  • Don’t hint at the format of a password (e.g. “my favorite pet.”)
  • Don’t reveal a password on questionnaires or security forms.
  • Don’t use the “Remember Password” feature of applications (e.g. Mozilla Firefox, Mozilla Thunderbird, Internet Explorer, or Outlook).

For additional information about this and other security issues, please visit http://www.unc.edu/security/.


Is there an easy way to create a strong and effective password?


Easy Password Creation

Changing your password to a different and new password every 90 days can be difficult. Generating a strong and easy to remember password does not have to be difficult. There are several different ways to create a new password, one example is included below:

  1. First you can think of a phrase or sentence that has meaning to you and that you can remember; for example:

    - I went to Emerald Isle and stayed for seven days!

  2. Second you can replace any words that are numbers with the actual numbers, replace certain words like “to” that sound like numbers with the number they sound like, and any word that can be represented by a symbol with that symbol. Making these changes in the above phrase the result would look like:

    - I went 2 Emerald Isle and stayed 4 7 days!

  3. Third you can take the first letter of each word and each number or symbol from step 2 and combine them into a string that would look like:

  – Iw2EI&s47d!

  • Looking back at the original phrase you can see:

    -I went to Emerald Isle and stayed for seven days!

    “I”
    did not change, “went” is represented by the first letter or the word “w”, “to” is represented by the number “2″, “Emerald Isle” is represented by “EI”, the word “and” is represented by the symbol “&” , the word “stayed” is represented by the letter “s”, the word “for” is represented by the number “4″, “seven” is represented by the number “7″, “days” is represented by the letter “d”, and the “exclamation mark” is kept at the end of the phrase “!”.
  • The replacement of elements from this easy to remember sentence results in this strong password:

    -Iw2EI&s47d!

  • Following this process should allow you to easily create a password that will not be difficult to remember, but that will meet all of the UNC password requirements. Here are some common mappings of words to symbols:

    “to” = “2″
    “for” = “4″
    “and” = “&”
    “at” = “@”
    “ate” = “8″
    “bang” = “!”
    “percent” = “%”


What do I do if I have forgotten my Onyen password?

  • Visit the Onyen Management Page for information on how to have your password reset.
  • Passwords expire every ninety days. If your password was working recently but now is not, then it may just be expired. Visit the Onyen Management Page to change your expired Onyen password to a new one.
  • To prevent you from having to do this in the future, you are required to setup the Challenge-Response Questions system. You will then be able to reset you own password after answering a series of questions.

Other FAQs