EPA IT Password Security Policies
AQS is being required to implement new EPA IT Password Security Policies. AQS will deploy the changes outlined below to comply with these new polices on Tuesday, August 1, 2017 at 7:00AM. Specific rules in this policy require the following:
- Passwords shall be at least twelve (12) non-blank characters long.
- All passwords, including initial passwords, shall be composed of a minimum of one character from at least three (3) of the following four (4) categories:
- English uppercase letters (e.g. A-Z);
- English lowercase letters (e.g. a-z);
- Non-alphanumeric special characters (e.g. !, #, $, %, etc); and
- Base 10 digits/numerals (e.g. 0-9).
- Passwords shall not contain any of the following:
- Dictionary words (e.g. computer, work) or common names (e.g. Betty, Fred, Rover);
- Portions of associated account names (e.g. user ID, login name);
- Consecutive character strings (e.g. abcdef, 12345);
- Simple keyboard patterns (e.g. QWERTY, asdfgh); and
- Generic passwords (i.e. passwords consisting of a variation of the word "password" [e.g. Passw0rd1]).
- At least 50% of the characters shall be changed when new passwords are created.
- Passwords may not be reused for 24 generations.
Additionaly, the new EPA policy requires passwords to have a minimum lifetime (i.e. how often they expire) of 60 days. Based on past interaction with the AQS user community and input from the EPA AQS Regional contacts, the AQS Federal Team is requesting a waiver for this requirement. It will not be implemented unless and untill the waiver is denied.