Skip to main content

Manage Passwords Safely

This article applies to: Security & Policy


Keeping your personal information, Cornell sign-in credentials, and important data safe means protecting your passwords. Anyone with active online accounts encounters dozens of passwords to access Cornell resources as well as personal online banking, e-commerce sites, and other websites. Below you will find some guidelines for how to manage your passwords safely.

Be aware that University policy forbids using your NetID password for any other sites or services, and it is poor security practice to use the same password for many different sites—so multiple passwords are a requirement.

Create unique, strong passwords

Make sure your passwords are:

  • Long (the longer, the better)
  • Complex (upper and lowercase letters, numbers, and special characters)
  • Unique (easy to remember, but difficult to guess)

Use one password for your Cornell NetID, and one each for services you want to keep very secure, such as personal device logins, online banking sites, or other key personal matters.

To read more about creating strong passwords, visit Strong Passwords for Your Computer, NetID, and Other Cornell Services.

Make Your Sign-Ins More Secure

  • Use multi-factor authentication.
    At Cornell, the standard is two-factor authentication, also known as Two-Step Login.
  • Don’t reuse a password across multiple sites or services.
    For example, don't use your Cornell NetID password for personal banking, shopping, or social media.
  • Avoid participating in social media surveys.
    Chatty surveys that want to know the street you grew up on, your favorite pet’s name, or other trivia about you are actually collecting information you might have used in security questions—so don’t participate.
  • Similarly, don’t include personal information within a password.
    This includes favorite songs, movies, hometown, a pet’s name, and so on.
  • Change all temporary or default passwords on accounts or IT equipment.
    Always create a unique, strong password when opening a new app account or getting started with a new device. Never leave the default in use.
  • Check whether you’ve been “pwned.”
    Online listings like “Have I Been pwned” can give you an indication how widespread data breaches affecting your identity are, underscoring the need to be vigilant about protecting passwords for services you don’t want malicious users to access.

Consider using a password management app

Password management apps can help you store and manage many passwords. They allow you to create one very strong password (typically called a Master Password) that is then used to encrypt and store all other passwords. 

For example, you may choose to manage passwords with LastPass, which Cornell has licensed as an optional central service offering.

Avoid writing passwords down

Writing down passwords is not recommended unless you have taken steps to secure it. If you must write down a password, then:

  • Keep written passwords locked away in a file cabinet, desk drawer, or other secure location; be aware of who else may have access to or knowledge about those locations.
  • Never write down the URL of a service and the password for that site together; make sure anyone else reading it would have no idea which account it is associated with. For example, if you had a money bank shaped like a cat when you were a kid, you might write “cat” next to your bank password to help you remember what the password is for.
  • Add or change one or more of the characters in the password that only you know and memorize it; when you’re typing it simply remove or type the correct character(s).
  • Regardless, enable two factor authentication on websites so that if your password is stolen, there will be an additional layer of security.

About this Article

Last updated: 

Tuesday, January 10, 2023 - 3:16pm

Was this page helpful?

Your feedback helps improve the site.

Comments?