Why Strong, Recently Set Passwords are Important

Cornell and our higher education peers have been the target of several recent cybersecurity attacks that began with compromised credentials or passwords. Once attackers break in, they inevitably attempt to move into the most sensitive parts of an IT environment.

Federal and state agencies are reporting increased cyberattacks in response to current geopolitical tensions and targets are expected to include higher education. This increase is adding to various criminal and hacktivist attacks against research institutions like Cornell. Cybersecurity attacks can lead to serious data breaches, data corruption such as ransomware, and outages of essential IT services.

Cybersecurity is only as strong as its weakest link. A single weak or stolen password can affect the security of all Cornell.

Keep Your Passphrase Secure

Strong passphrases (password) stand between your valuable personal information and work resources and the criminals who are trying to get them.

Your NetID passphrase must be different from any other password or passphrase that you use for Cornell or personal accounts. This helps ensure that your Cornell information will still be protected even if other passwords or passphrases are stolen.

• Don't write your passphrase down or store it on your computer.
• If you think your passphrase has become known to someone other than you or if you suspect it has been compromised by a criminal, change it immediately.
• If you think your account has been compromised, report it to the IT Security Office.
• Contact the IT Service Desk if you're unable to change your passphrase.

Cornell Passphrase Requirements

Effective Fall 2025 for NetID passwords:

• Minimum length is 16 characters.
• You may include upper-case letters, numbers, special characters, or symbols, though you are no longer required to do so.
• Spaces count as a character.
• The passphrase may not include a known-bad password (i.e., “password12345678” or “adminadminadmin1”).
• The passphrase cannot be one you have used recently.
• The passphrase must not reuse one that you have used for any other service (at Cornell or otherwise).

Where and How to Change Your NetID Password

For details and instructions about how to update your Cornell NetID passphrase, visit Change Your NetID Password.

Tips for a Creating a Strong, Memorable Passphrase

It is recommended that you use a passphrase of 4 to 7 words, rather than a traditional password. This can be a sentence or, even better, a series of unrelated words that you can easily remember, but that would be difficult for others to guess.

• Try something like "Sunshine-river-couch-1984" or "correct horse barn stable rainstorm".
• Because passphrases no longer require unusual characters (though you may use them if you wish), you can come up with a phrase or sequence uniquely memorable to you but not easily guessed by others.
• Do not use common catchphrases, memes, movie titles, popular song lyrics, personal details about you, searchable information (like your hometown or street name), or keyboard patterns like “qwertyuiop asdfgh” or “1234567890123456”.
• Never reuse passwords from other sites or accounts.

Set Up a Recovery Email Address

It is strongly recommended that you set up a recovery email address. 

This is a secure, non-Cornell email address where you can receive an email that contains a special link to reset your Cornell NetID passphrase when you have lost or forgotten it, without needing to contact the Cornell IT Service Desk.

For more information, visit Set a NetID Recovery Email Address.