Skip to main content

IT@Cornell


Best Practices for Managing Passwords Safely


Why do I have to choose a complex password for my NetID?

Your NetID and password control access to highly confidential data, some of which requires protection mandated by federal legislation. Tools for cracking simple passwords are readily available, so it is essential that your NetID password be strong to prevent unauthorized individuals from discovering it.

Complex passwords are akin to deadbolt locks on a door. Just as deadbolt locks are far more effective than standard locks in preventing break-ins, so are complex passwords far superior to simple passwords in protecting access to your information.

In 2002, the university auditor recommended that CIT implement technical measures to ensure that users choose secure NetID passwords. The criteria for what constitutes a secure password were developed as a result, along with the web-based method for selecting a password.

Most users today have to keep track of sometimes dozens of passwords: for Cornell resources, online banking, e-commerce sites such as eBay or Amazon, and other web sites.


University policy forbids using your NetID password for other sites, and it is a poor security practice to use the same password for all sites, so multiple passwords are a requirement.

Create unique, strong passwords

  • One for your Cornell NetID
  • One each for any services that you want to keep very secure, such as logging on to your computer, online banking, or other key personal matters
  • One in common for services where you are less concerned about security or if other people access the information

Consider using a password storage utility

The most secure way to store and manage passwords is to use one of many available password storage utilities. These utilities allow you to create one very strong password that is then used to encrypt and store all other passwords. See a list of recommended password storage utilities.

Use caution if writing your passwords down

Obviously, the more passwords you have to use, the greater the temptation to write those passwords down to ensure they are remembered. If you need to write down a password, make sure the account with which it is associated is unclear. For example, do not write down the URL for your bank with your password written next to it. Instead, either write down the password, without listing what the password belongs to, or pick a word or phrase that will remind you of your bank, without being obvious.

For example: If you had a money bank shaped like a cat when you were a kid, you might write “cat” next to your bank password to help you remember that it is your bank password.

Keep people from trespassing on your computer

Make sure the password that unlocks your computer is not used for any other purpose, and that it is strong. Don’t use “remember password” utilities in your web browser or email client. They make it easy for someone to log into your accounts if they gain access to your computer.Encrypt any passwords stored on your computer. It does not matter how complex your passwords are, if someone can find them. Your passwords should always be kept private.