|Accounts & Access||Account Request||Resetting Passwords||Obtain or Renew Visitor's ID and Kerberos Account|
Your kerberos password should be changed frequently. It will expire after 400 days, even if you never use it. That is if you always use your cryptocard, your password will still expire. If it expires, your kerberos principal will be disabled automatically. So you must change it at least that often.
Unfortunately, you are only reminded to change it during the 30 days immediately preceding it's expiration when you do a "kinit". Since you should rarely need to do that, most people will never be reminded.
I suggest that you pick an easily remembered date at least once per year, your birthday, your dog's birthday, your wedding anniversery... and change it on that day.
To change your password, first make sure that you are logged into one of the kerberized Fermilab machines over a fully encrypted network link. That is all legs of the login chain must be encrypted. ssh or encrypted telnet, WRQ Reflection will do the latter, can do it. Then type
and follow instructions.
If you forget to change it, you have two choices:
If you have forgotten your old password, your only choice will be to contact firstname.lastname@example.org