What’s wrong with my password?

I’d like to remind you that the password you use in our institute for loggin in to your Macintosh or accessing your e-mail and other central services like Time Machine backups has a finite expiration time and lifetime: Your password expires after eighteen months and you are forced to change it as soon as you log in interactively to one of the servers. If you don’t change your password within another six months (don’t log in interactively), your account will be locked completely, i.e., you can’t even change your password.

Don’t ask me why it is like that – this rule originates from pre-internet times and nowadays is pretty much useless according to the Bundesamt für Sicherheit in der Informationstechnik.

Places where your password is used

Whenever you change your password, CHANGE IT ON YOUR MACINTOSH, regardless of what the instructions of the IT boys say. This is of particular importance on a MacBook/MacBook Air/MacBook Pro.

You need to change your password at least in the following places:

  • At the login prompt or in the Users and Groups control panel of System Preferences. This updates the password of your Active Directory user record, for access to your Login Keychain, and for decrypting the harddisk in case you use a MacBook (aka FileVault).
  • In the Accounts control panel of Apple Mail Preferences (not the global Internet Accounts control panel of System Preferences)
  • In the Time Machine Password record of the System Keychain, using Keychain Access

How do I change my password?

Make sure that your Macintosh is connected to the MPI CPFS network, either directly or through a VPN connection. If you are prompted at login to change your password, please follow the instructions. Otherwise, on your Macintosh, please proceed as follows:

  • Select System Preferences… from the Apple menu. This will open a window like the one here.

"System Preferences Window"

  • Click onto the Accounts icon located in the System row of the System Preferences window. The Accounts window will appear.

  • Select your account in the list on the left-hand side, click onto Change Password… and fill in the required fields of the corresponding dialog sheet which appears. Finally, click onto Change Password and you are done.

That’s all.

In general, your Macintosh is integrated into the institute’s authentication and authorization infrastructure, and changing your password on Mac changes it on the network as well. However there are exceptions:

  • Your Macintosh is not connected to the institute’s network. The password change will propagate next time it is.

  • The Time Machine backup password remains unchanged on your Mac, thus backups will fail. To correct the password, open Keychain Access (in the /Applications/Utilities folder) and search for time machine. Double-click onto the record returned (currently nassrv._afpovertcp._tcp.cpfs.mpg.de), check show password: and edit the password after authentication.

  • The MPI CPFS E-Mail, Calendaring, and Contacts service is not integrated into the authentication and authorization infrastructure and need a separate password change. Update your password in Apple Mail: Choose Mail->Preferences->Accounts, select your MPI CPFS account, click Server Settings and update your e-mail password there. This includes calendar and contacts in case you use M$ Exchange Active Sync instead of standard IMAP/SMTP.

  • Your Macintosh is not integrated into the institute’s authentication and authorization infrastructure: Connect to our Terminalserver, log in, and change your password there.