NIH Password Policy Strengthened

As of July 5, 2007, NIH implemented changes to its password policy for all Active Directory (AD) accounts within the NIH Network. The policy applies to all employees and contractors who log in to NIH computers or computers that access the NIH Network remotely.

The current policy changes will help NIH balance the demands of IT security and the free flow of information necessary for NIH research. The overarching goal is always to help facilitate the NIH mission by protecting the confidentiality, integrity, and availability of NIH information.

What has changed

Several characteristics of NIH passwords have been strengthened to ensure better security for all users. Previously, passwords only had to be changed every six months (180 days) but now NIH is phasing in a shortened password age of 90 days. In addition, password length has been increased to a minimum of eight characters, and users now only have six attempts at entering the correct password before being locked out of the login process. Once locked out, users will remain unable to log in again for one hour, up from the previous 15 minutes of lock-out.

Keep in mind that passwords can only be changed once a day and that any new password chosen must differ from your previous 10 passwords. As always, authorized users are responsible for the security of their passwords and accounts. The complete NIH password policy and password requirements can be found online.

What to do

•	Create a password with at least 8 characters that has a combination of at least 3 of the following—capital letters, lower case letters, numeric characters, or special characters (! @ # $ %^&*()_-+=`~).
•	Choose a password that is different from your 10 previous passwords each time you change it and change it every 90 days.
•	Contact the Help Desk (301-496-4357) immediately if you believe your password may have been compromised.
•	Log off or lock your desktop screen when you leave your desk.
•	Use a password-protected screensaver and set it to activate if your system is idle for 15 minutes or longer.

What not to do

•	Don't use your login name or your first or last name as your password or part of your password.
•	Don't share login information and passwords with other users.
•	Don't use the same password for NIH accounts as for non-NIH accounts.
•	Don't reveal your password to anyone over the phone, e-mail, or in person.

Changing your NIH Password

Briefly, there are two ways to change your main NIH (Active Directory) password:

•	While logged into your PC at your NIH workplace, press the keys "ctrl-alt-delete". A small dialog window will appear; click on the button that says "Change Password" and follow the instructions.
•	If you know your password and would like to change it but are not at your own PC (or you are not a PC user), go to http://password.nih.gov and select “Change Password.”
•	NCI users should login to the NCI password Web page and follow the instructions there to change their password.
•	If you know your password you can also register for the Password Self Service at https://iForgotMyPassword.nih.gov (works best with Internet Explorer 6 or higher) - contact the NIH Help Desk if you need assistance. Password Self Service is a service that provides you the ability to reset your password if you have forgotten it; unlock your locked account; and validate your identity during future Help Desk password related calls (see also the related Interface article in issue #237, Spring 2007: Help - I Forgot My Password!).

Forgotten or compromised passwords

Compromised passwords must be reported to the NIH Help Desk at 301-496-4357. The Help Desk will contact the appropriate NIH Institute or Center (IC). Forgotten NIH passwords may be reset by an authorized administrator or by using a self-service Web site utility like https://iForgotMyPassword.nih.gov

•	If you forget your password and are already registered with the Password Self Service, go to https://iForgotMyPassword.nih.gov to reset your password.
•	NCI users should login to the NCI password Web page and follow the instructions there.
•	Forgotten NIH passwords may also be reset by an authorized administrator or by calling the Help Desk at: 301-496-4357 (301-496-HELP) (local), 866-319-4357 (toll free), 301-496-8294 (TTY). Email: ithelpdesk@nih.gov

Passwords for Parachute and VPN accounts

Parachute and VPN accounts use your main NIH (Active Directory) account. Therefore, the user ID and password for Parachute and VPN are your NIH (Active Directory) user ID and password. For assistance please contact the NIH Help Desk.

Your NIH Login password

The NIH Login is a central utility that authenticates you with your domain username and password. For example, if you use the NIH Login at https://my.nih.gov, you are taken to your account in the NIH Portal. This process will allow you to access NIH Login-enabled applications through the same password without logging in again.

More information

If you need help in resetting your password or if you forget your password, please contact the NIH Help Desk: 301-496-4357 (301-496-HELP), 866-319-4357 (toll free), 301-496-2924 (TTY), or by email.