Passwords

The Nevada System of Higher Education follows the National Institute of Standards and Technology (NIST) cyber security framework to increase information security across the system. The updated UNLV password guidelines improve security and bring the standards more in line with NIST recommendations.

Password Criteria

  1. Must be at least 12 characters in length
  2. May use any character on the keyboard (including “space”), if the system allows
  3. Do not use repetitive characters or common patterns (e.g., aaaa, 1234, qwerty, 1qaz2wsx)
  4. Do not use a dictionary word with common character substitutions (e.g., PA$$word, PA55word)
  5. Do not use any password shown as an example in these guidelines (or anywhere else)

Passphrases

The best passwords provide a combination of security and memorability. Passphrases are long password strings that are easily remembered yet hard for a potential attacker to guess.

Some commonly accepted methods for generating a passphrase:

  • Use several random dictionary words with spaces between them. You should use at least six random words.
    • Example: correct horse battery staple apple reader
  • Use a sentence or phrase you will remember and convert parts phonetically or with symbols.
    • Example Sentence: I love horses, they are great!
    • Example Passphrase: 1<3horses,thArGr8!
  • Use a long memorable sentence and take the first character of each word as the passphrase (include sentence punctuation).
    • Example sentence: My neighbor mows the lawn every Saturday except in winter or when it’s raining.
    • Example Passphrase: MnmtleSeiwowir.

Password Expiration

Passwords will not expire at regular intervals. Password change will only be required if a breach of the account or a compromise of the password is suspected.

Password Reuse

Do not use the same password for two different services (e.g., websites, computing devices, mobile apps). Additionally, when changing a password, do not use a password that you have previously used.

Password Managers

Password managers allow you to easily store and recall passwords for all your accounts and secure them with a master password. LastPass is a password manager that is available to UNLV students, alumni, and employees. Students and alumni can get a premium account for personal use. Employees and student workers can get a business account for work-related logins. The service is optional and offered at no cost.

Users are encouraged to review the features of a password manager and ensure that it meets their personal requirements and is compatible with the platforms on which they plan to use it.

Some general recommendations when using any password manager:

  • Ensure that you select a very secure master password. If this password is compromised, an attacker could have access to all your other passwords. Use the passphrases guidelines above to create a passphrase that is secure and yet memorable.
  • Password managers, such as LastPass, include a browser plugin that will allow you to autofill passwords on websites or autosave passwords as you input them. If these plugins are used, they should be configured to auto-logout after a period of time so that you will need to enter your master password again. They should not be left unlocked indefinitely.

Notes

Some systems may not be able to accommodate the new password criteria. Every effort should be made to create strong passwords within the technical constraints of the system.

Some systems may have requirements to make passwords more stringent than reflected in these guidelines. Those system requirements must be followed.