Create a Strong Passphrase for your Device, NetID, and Other Cornell Services
Strong passphrases are the barrier between your valuable personal information and resources, and the criminals who are trying to get at them.
This article applies to: Secure Password Management , Secure Your Computer and Mobile Device , Security & Policy
Cornell’s password / passphrase requirements are changing in Fall 2025. The new requirements outlined below better align with current security standards and best practices.
Until 9/30/2025, the previous requirements will be in place and continue to be shown on the Manage Your NetID website.
The requirements below will apply to all new accounts, and must be followed going forward for existing Cornell accounts that change their password / passphrase.
Keep Your Passphrase Secure
Strong passphrases (formerly called passwords) are the barrier that stands your valuable personal information and resources, and the criminals who are trying to get at them.
Your NetID passphrase must be different from any other password or passphrase that you use for Cornell or personal accounts. This helps ensure that your Cornell information will still be protected even if your other passwords or passphrases are stolen.
- Do not write your passphrase down or store it on your computer.
- If you think your passphrase has become known to someone other than you or if you suspect it has been compromised by a criminal, change your passphrase immediately.
- In addition, if you think your account has been compromised, report the incident to the IT Security Office.
- Contact the IT Service Desk if you're unable to change your passphrase.
Cornell Passphrase Requirements
These requirements are effective starting Fall 2025 for new and updated NetID accounts:
- Minimum passphrase length is 16 characters.
- There is no longer a requirement to include upper-case letters, numbers, special characters, or symbols, though you are still allowed to use them if you wish.
- The passphrase may not include a known-bad password (i.e., “password12345678” or “adminadminadmin1”).
- The passphrase cannot be one you have used recently.
- The passphrase must not reuse one that you have used for any other service (at Cornell or otherwise).
Where and How to Change Your NetID Password
For details and instructions about how to update your Cornell NetID passphrase, visit Change Your NetID Password.
Tips for a Creating a Strong and Memorable Passphrase
It is recommended that you use a passphrase of 4 to 7 words, rather than a traditional password. This can be a sentence or, even better, a series of unrelated words that you can easily remember, but that would be difficult for others to guess.
- Try something like "Sunshine-river-couch-1984" or "correct horse barn stable rainstorm".
- Because passphrases no longer require unusual characters (though you may use them if you wish), you can come up with a phrase or sequence uniquely memorable to you but not easily guessed by others.
- Do not use common catchphrases, memes, movie titles, popular song lyrics, personal details about you, searchable information (like your hometown or street name), or keyboard patterns like “qwertyuiop asdfgh” or “1234567890123456”.
- Never reuse passwords from other sites or accounts.
Set Up a Recovery Email Address
It is strongly recommended that you set up a recovery email address.
This is a secure, non-Cornell email address where you can receive an email that contains a special link to reset your Cornell NetID passphrase when you have lost or forgotten it, without needing to contact the Cornell IT Service Desk.
For more information, visit Set a NetID Recovery Email Address.
Comments?
To share feedback about this page or request support, log in with your NetID