Keeping your personal information, Cornell sign-in credentials, and important data safe means protecting your passwords. Anyone with active online accounts encounters dozens of passwords used to access Cornell resources, personal online banking, e-commerce sites, and other websites. Below you will find some guidelines for how to manage your passwords safely.

Why Strong, Recently Set Passwords are Important

Cornell and our higher education peers have been the target of several recent cybersecurity attacks that began with compromised credentials or passwords. Once attackers break in, they inevitably attempt to move into the most sensitive parts of an IT environment.

Federal and state agencies are reporting increased cyberattacks in response to current geopolitical tensions and targets are expected to include higher education. This increase is adding to various criminal and hacktivist attacks against research institutions like Cornell. Cybersecurity attacks can lead to serious data breaches, data corruption such as ransomware, and outages of essential IT services.

Cybersecurity is only as strong as its weakest link. A single weak or stolen password can affect the security of all Cornell. Also remember to keep your devices protected and updated. For Cornell-owned desktops and laptops, an effective solution is Certified Desktop.

Create unique, strong passwords

Make sure your passwords are:

• Long (the longer, the better; minimum of 16 characters)
• You may still include upper-case letters, numbers, special characters, or symbols, though you are no longer required to do so.
• The passphrase may not include a known-bad password (i.e., “password12345678” or “adminadminadmin1”).
• The passphrase cannot be one you have used recently.
• The passphrase must not reuse one that you have used for any other service (at Cornell or otherwise).

To read more about creating strong passwords, visit Strong Passwords for Your Computer, NetID, and Other Cornell Services.

Make your sign-ins more secure

• Use multi-factor authentication. At Cornell, the standard is two-factor authentication, also known as Two-Step Login.
• Don’t reuse a password across multiple sites or services. For example, don't use your Cornell NetID password for personal banking, shopping, or social media.
• Avoid participating in social media surveys. Surveys that want to know the street you grew up on, your favorite pet’s name, or other personal trivia are actually collecting information you might have used in security questions—so don’t participate.
• Similarly, don’t include personal information within a password. This includes favorite songs, movies, hometown, a pet’s name, and so on.
• Change all temporary or default passwords on accounts or IT equipment. Always create a unique, strong password when opening a new app account or getting started with a new device. Never leave the default in use.
• Check to see if you’ve been “pwned.” Online resources like Have I Been Pwned can show how widespread data breaches might be affecting your identity, underscoring the need to protect your passwords from malicious users.

Consider using a password management app

Password management apps can help you store and manage many passwords. They allow you to create one very strong password (typically called a master password or master passphrase) that is used to encrypt and store all other passwords.

For example, you may choose to manage passwords with LastPass, which Cornell has licensed as an optional service for students, faculty, and staff.

Avoid writing passwords down

Writing down passwords is not recommended. If you must write down a password, then:

• Keep written passwords locked away in a file cabinet, desk drawer, or other secure location; be aware of who else may have access to or knowledge of those locations.
• Never write down the URL of a service and the password for that site together; make sure anyone else reading it would have no idea which account it is associated with. For example, if you had a money bank shaped like a cat when you were a kid, you might write “cat” next to your bank password to help you remember what the password is for.
• Add or change one or more of the characters in the password that only you know and memorize it; when you’re typing it simply remove or type the correct character(s).
• Always enable two-factor authentication on websites, wherever available, so that if your password is stolen, there will be an additional layer of security.