The Mystery Behind the Password

Print This Post Print This Post

By: VeCoya Greene

We asked – and you answered!

You told us that you’re frustrated by the password requirements for AESDirect, based on your responses from our most recent customer service survey.

Our goal is not to make your life more difficult; in fact, we want to protect you and the information you file to the AES. The password requirements work to achieve two goals—protecting export data from unauthorized access and protecting the privacy of our filers.

Why are the password requirements so complicated?

The rules for creating or changing your password are mandated by the Federal Information Security Management Act (FISMA) and enforced by the U. S. Department of Commerce, of which the Census Bureau is a part.

The IT security team designed the password requirements to prevent security breaches in AESDirect filer accounts.

Why do I have to change my password so often?

According to the ‘Required Security Controls for Census Bureau Information Systems’, certain rules must be followed to ensure password safety. One of those requirements is to change passwords at least once every 60 calendar days.

The Census Bureau’s security policy states that

“…the AESDirect System must adhere to security requirements established by FISMA as part of Title III of the E-Government Act of 2002. Through the enforcement of these security mandates, parameters are established based on predetermined frequencies and durations in order to strengthen the security posture of the system. All users accessing a government system are agreeing to the terms and conditions of that system.”

These security requirements strengthen the security of AES for all users!

(Visited 2,506 times, 1 visits today)
This entry was posted in Export Filing and tagged , , , , , , , , . Bookmark the permalink.

20 Responses to The Mystery Behind the Password

  1. Michael Smiszek says:

    No one disputes the need for password protection. But it seems that your sister agency in Commerce, BIS, must use a different security standard for SNAP-R passwords. Maintaining a valid SNAP-R password is much easier to deal with.

    • Diane Baana says:

      I agree with Micheal and others that complain about AES password nightmares. The restrictions and length of the password for AES makes it impossible to remember so we have to write it down and try to keep it in a safe place which isn’t necessarily secure. Changing the password so often is not only a nightmare to find one that is not similar to the other but is so much wasted time and frustration for industry.

    • Global Reach VeCoya says:

      Good Morning Michael, the complexity of our password requirements ensures our highest standard of data protection. AESDirect follows FISMA security standands. To seek information regarding SNAP-R security standards, please feel free to contact the BIS SNAP-R Help Desk at (202) 482-2227 or you can email Thank you!

  2. Maria E Zapata says:

    The constant changes of the password for aes and the extreme difficulty of creating a password has made the system way way way more vulnerable as most people have to write down the new password and by the time they memorize it, it is time to change it again. Passwords to be usefull should be compromised of letters numbers and symbols that the user can remember and should be changed as the person thinks its necessary And/or twice a year.
    Having to write down the passwords in order to remember them takes away the effectiveness of having one.
    The aes password requirements are extremely annoying and difficult

  3. Joseph Paul Blough says:

    what about people on disability with no cell phones? I don’t know if this is related to the password thing here, but on facebook, if you don’t have a cell phone to prove who you are, when you get locked out of the login with errors, they delete your facebook, like they did to me last year. so what do you do for people like that, or people who are impared mentally? Just curious.

  4. Merv W says:

    I agree with Maria – the number one security rule I have always been taught is “don’t write down your passwords”. In the past, after having to recover a password, I have been advised by AES (both verbally and in writing) to write down the password. Needing to maintain a written password is nearly the equivalent of having no password.

  5. Gabriela Palouda-Jones says:

    Excellent point! I observed someone spending 20 minutes on creating a new password. I’m not sure about the government but in private industry, we do not have that much time to spend on a 60-day valid password creation!



  7. Sheri Parshall says:

    Having recently dealt with an expired password, I found it extremely frustrating that a fax was required to fix the problem, which was incredibly frustrating in this electronic age.

    • Global Reach VeCoya says:

      Good Morning Sheri, the ‘Automated Password Recovery Process’ is now available. Users can enable this feature and answer security questions whenever their password is forgotten or has expired.

  8. B G H says:

    Everything you need to know about why the current requirements are bad. As several others have pointed out, if you have to write it down, it isn’t a good password.

  9. Donald Denny says:

    I have found that if you use an ocean B/L number such as APLU12341234, this works. I can’t remember if I may have used a – (dash) as well.
    You can also use a phone number with a dash or also put a letter in between your numbers.

  10. Roy says:

    Good luck finding a password on my desk!
    I’d suggest you don’t over think the password. Just use your keyboard and remember a pattern. Start or end with a Cap and special caricature.
    I like to make mine really long but easy to type so a casual observer thinks I’m smart.

  11. Kevin McDermott says:

    All of you are making password creation more difficult than it really is. Google strong password and you will find many secure websites that will create a 12 character password that satisfies the AES requirement. will create a list of passwords that you can save as a text file. Sent by SSL, using random noise as the algorithim. Five minutes and you can have a list of 20 passwords and you are good for over 3 years. Create a zip file that requires a password for access, use a password of your liking, include the password text file, and drop it on your desktop. Easy access, copy and paste into AES, and more secure than writing down a password on paper.

  12. Rosie Ramirez says:

    I agree .. To me this is a nightmare.
    I think they should have an effective change and of course easy.

  13. Karin says:

    I find it helpful to take an ordinary (‘dictionary’) word and replace some of the letters with ‘special’ characters, for example Pa$$word

    As an infrequent exporter, I have trouble remembering to sign-on every 30 days, and re-set password every 60 days.

  14. Cheryl says:

    I use the first letter of song lyrics minus vowels + a number…. works like a charm. So for example “Hwbtsh27yghtphnbb” is clearly a John Denver tune from way back in the day “He was born in the summer of his 27th year, going home to a place he’d never been before.” Keeps me from having to write it down, and I get an earworm every time I need to log into AES. (And lest you judge me, I’m not limited to the mellow sounds of the 70s, k?)

    A friend of mine uses Bible Verses. Her bonus is it helps her to learn them.

  15. Medicare Preventive visit says:

    That’s good one post I appreciate you for this.
    According my perception it’s quite necessary to protect the password because a lot of privacy is needed to save. If you don’t do these than your privacy will not be save no longer.
    Google strong password and you will find many secure websites from there to give protection.

  16. Lee says:

    I was trying to change my 60-day PW but system keeps saying to use passwords that have not been used. I created one and another and another and another but system response is the same –what’s going on?

  17. Steve says:

    It is easier and less complicated to get into TSA homeland security websites which also change every 60 days. The process for AES passwords is way out of line and borderline ridiculous and whoever created the process doesn’t operate in the real world.

Leave a Reply

Your email address will not be published. Required fields are marked *