New NIH Password Policy Is in Effect

NIH began a new password policy on January 12, 2005. The policy applies to all employees and contractors who log in to NIH computers or computers that access the NIH Network remotely. This policy helps facilitate the NIH mission by protecting the confidentiality, integrity, and availability of NIH information. With this new policy, NIH is balancing the need to protect information while continuing to ensure the free flow of information so important to conducting research and improving public health.

IT security is becoming a bigger concern for NIH because hacker attacks are increasing in number and severity. As the use of electronic communications increases, risks arise that hackers will exploit vulnerabilities to steal or modify data and invalidate research. Strong passwords are the first line of defense against these potential intruders.

A strong password policy is necessary to prevent hackers from gaining unauthorized access into a system and any resources available to an authenticated user. Exploitation of weak passwords is one of the easiest and most common methods used by hackers to gain access to systems. Furthermore, a network is only as secure as its weakest link, and compromises in one computer can quickly spread to other areas of a network.

Responsibilities of Users

In the new password policy—as in the previous password policy—you have to change your password every six months (180 days). System level passwords must change more often (90 days). There are also new requirements for password length and complexity.

Authorized users are responsible for the security of their passwords and accounts.

•       What to Do

-	Create a password with at least 7 characters that has a combination of at least 3 of the following—capital letters, lower case letters, numeric characters, or special characters.
-	Choose a password that is different from your 10 previous passwords each time you change it.
-	Contact the NIH Help Desk immediately at 301-496-4357 or helpdesk@mail.nih.gov if you believe your password may have been compromised.
-	Log off or lock your desktop screen when you leave your desk.
-	Use a password-protected screensaver and set it to activate if your system is idle for 15 minutes or longer.

•       What Not to Do

-	Don't use your login name or your first or last name as your password or part of your password.
-	Don't share login information and passwords with other users.
-	Don't use the same password for NIH accounts as for non-NIH accounts.
-	Don't reveal your password to anyone over the phone, e-mail, or in person.

See the complete "NIH User Password Requirements" on-line. The "NIH Password Policy" is also on-line.

See a previous Interface article, "Are you a Computer Hackers Target?" in the July 2003 issue (number 227).

How to Change Your Password

•       Network Login

Your network login is what you use to log on to your computer. To change the network password, just press Control + Alt + Delete, as you would to log off. In the lower left corner, click on "Change Password…" Your "User Name" and "Domain" are already visible. Enter your old password, your new password, and confirm your new password.

This is the same thing as changing your email account password through the NIH Central Email Service webpage.

•       NIH Login

The NIH Login is what you use to log on to the NIH Portal—click "Change Password" to bring up the screen for changing your password.

You will be asked to enter your user name and current password—the ones you use to log on to the network—and a new password. If the user name and current password you enter are correct, you get a message, "Your password has been successfully changed."

The NIH Login is a central area that authenticates you with your user name and password. Once logged on to NIH Portal, you can access certain NIH Login-enabled applications (e.g., ITAS, Human Resources, NBS-Travel, nVision) without logging in again.

•       VPN and Parachute Passwords

To change your VPN password or your Parachute password, please call the NIH Help Desk at 301-496-4357 or e-mail helpdesk@mail.nih.gov.

Remember, IT security is about protecting information assets by effectively managing risks. Creating a password that is hard to guess is a worthwhile and necessary investment in protecting NIH information.

More Information

If you need help in resetting your password or if you forget your password, please call the NIH Help Desk at 301-496-4357 or e-mail helpdesk@mail.nih.gov.