Account Unlock and Password Change/Reset Instructions

Table of Contents

Brief Description

This article explains how to unlock your SLAC account and change or reset passwords for SLAC services, including Active Directory (Windows and macOS), Unix (Heimdal), and Oracle. It also introduces the new self‑service SLAC Account Reactivation and Password Update app and provides guidance to avoid password synchronization issues on SLAC-managed devices.

Review the Computer Security Password Policy

Before changing your password, review the Computer Security Password Policy on the SLAC Policies site.

Active Directory (Windows and macOS Accounts)

If you have both a SLAC Windows and macOS computer, change your password from the Mac and do not change it on your Windows PC. The Windows password will update automatically the next time your PC connects to the SLAC network (onsite or via SLAC VPN). Avoid changing your password immediately before leaving for the day or weekend in case you need assistance.

Users with SLAC macOS computers

  1. Ensure your Mac is connected to the SLAC internal network or to SLAC VPN using the Cisco AnyConnect application.
  2. Open System Preferences > Users & Groups.
  3. Select your user account and click the Change Password button.
  4. Follow the prompts to complete the change.

This method updates your keychain and FileVault password, which is necessary to ensure continued access to your Mac. If you do not have Cisco AnyConnect installed or do not have dial‑in permissions, see the SLAC VPN access article on the IT site.

Users with SLAC Windows computers

Important: Before changing your password, make sure you are not logged onto another Windows machine and that no scheduled processes are running under your account. If you are offsite, connect to SLAC VPN first.

  1. Log into your Windows computer as usual.
  2. Press Ctrl+Alt+Del.
  3. Select Change a password.
  4. Enter your old password, then your new password twice, and submit.

Windows password changes take effect immediately.

Users who do not have a SLAC Windows or SLAC macOS computer

If you do not have access to a SLAC‑managed Windows or macOS computer, you can change your SLAC Active Directory password using the SLAC Account Reactivation and Password Update app. After changing your password via the app, see Re-syncing Your Password on SLAC-Managed Computers if you later sign into a SLAC‑managed device.

Account Reactivation and Password Reset with Web App

Use the SLAC Account Reactivation and Password Update app to re‑enable your account or update your Active Directory password.

When to use this app

  • Your account is locked or disabled and needs reactivation.
  • You need to update your password and do not have access to a SLAC‑managed Windows or macOS device.
  • You prefer a web-based update and can complete Duo two‑factor authentication.

Employees: Option 1 — Authenticate with your SLAC username

  1. Open the SLAC Account Reactivation and Password Update app.
  2. Enter your SLAC username and select Authenticate.
  3. You will be redirected to your federated institutional login. Sign in and complete two‑factor authentication.
  4. After successful authentication, follow the prompts to update your password.

Employees: Option 2 — Authenticate with Stanford

  1. In the app, choose Authenticate with Stanford.
  2. You will be redirected to the Stanford login page. Sign in and complete Duo two‑factor authentication.
  3. After successful authentication, your account will be activated (if needed) and you will be prompted to update your password.

Non‑employees and collaborators

Use Option 1 (Authenticate with your SLAC username).

  1. The app will send an email with a one-time code, then show a form to enter the code
  2. Enter the code from your email into the form
  3. Authenticate with Duo

Important notes

  • If you need to update your external email address, ask your Host to send an invite to your new email address so you can register with it.
  • If you use this app and also use a SLAC‑managed computer, complete the steps in Re-syncing Your Password on SLAC-Managed Computers to ensure your device has the updated password.
  • macOS users generally achieve the best results by changing their password directly on the Mac (see Users with SLAC macOS computers) to ensure the keychain and FileVault are updated.
  • If the verification process fails, contact the IT Service Desk.
  • If you are an employee and your SUNet ID is also locked, contact the Stanford University IT Service Desk.

Re-syncing Your Password on SLAC-Managed Computers

If you changed your password using the web app while offsite, you must sync your device while connected to the SLAC network or SLAC VPN.

Windows

  1. Sign in to your laptop using your previous password.
  2. Connect to the SLAC network or SLAC VPN (authenticate with your new password).
  3. Press Ctrl+Alt+Del.
  4. Select Lock.
  5. Press Ctrl+Alt+Del again and sign back in with your new password.

This process syncs your local laptop password with your network password.

macOS (general guidance)

  • To ensure your login keychain and FileVault stay in sync, change your password directly on the Mac when possible (see Users with SLAC macOS computers).
  • If you changed your password using the web app and experience keychain prompts or other issues, contact the IT Service Desk for assistance.

Unix Account

To change your Unix (Heimdal) password, you must access the “centos7” interactive pool from a bastion host (not accessible directly from the internet).

If your Unix password has expired, contact the IT Service Desk and request a Unix password reset first.

When you have a working Unix password then:

  • SSH to “jump.slac.stanford.edu” using your SLAC (Active Directory/Windows) account.
  • From there, SSH to “centos7” using your Unix password.

On “centos7”, run the following command and follow the prompts:

/usr/local/bin/password

Notes:

  • The change takes effect immediately.
  • Do not use /bin/passwd for this purpose; it will not change your login password in most cases and may report the old password as incorrect.

Oracle Account

  • Oracle passwords currently have a maximum length of 30 bytes.
  • Do not use the following special characters due to their meaning in the Oracle engine:
    • Forward slash (/)
    • At symbol (@)
    • Ampersand (&)
    • Space ( )
    • Double quote (")
    • Single quote (')

If you have trouble changing your Oracle password, contact the IT Service Desk.

Best Practices for Changing and Setting Passwords

  • Use Secure Shell (SSH) or another secure method when logging in from open or shared environments so your password is not sent unencrypted.
  • Change your password after using open-access or conference machines, where you cannot verify what software is running.
  • Use distinct passwords for SLAC accounts versus any non‑SLAC accounts.
  • Minimum length: 12 characters.
  • Avoid easily guessed information (e.g., names, birthdays, dictionary words).
  • Never write your password where it could be seen by others.