- Global Reach Blog - http://globalreach.blogs.census.gov -

The Mystery Behind the Password

Posted By Global Reach Daniel On May 29, 2013 @ 9:56 am In Export Filing | 20 Comments

By: VeCoya Greene

[1]We asked – and you answered!

You told us that you’re frustrated by the password requirements for AESDirect, based on your responses from our most recent customer service survey.

Our goal is not to make your life more difficult; in fact, we want to protect you and the information you file to the AES. The password requirements work to achieve two goals—protecting export data from unauthorized access and protecting the privacy of our filers.

Why are the password requirements so complicated?

The rules for creating or changing your password are mandated by the Federal Information Security Management Act (FISMA) and enforced by the U. S. Department of Commerce, of which the Census Bureau is a part.

The IT security team designed the password requirements to prevent security breaches in AESDirect filer accounts.

Why do I have to change my password so often?

According to the ‘Required Security Controls for Census Bureau Information Systems [2]’, certain rules must be followed to ensure password safety. One of those requirements is to change passwords at least once every 60 calendar days.

The Census Bureau’s security policy states that

“…the AESDirect System must adhere to security requirements established by FISMA as part of Title III of the E-Government Act of 2002 [3]. Through the enforcement of these security mandates, parameters are established based on predetermined frequencies and durations in order to strengthen the security posture of the system. All users accessing a government system are agreeing to the terms and conditions of that system.”

These security requirements strengthen the security of AES for all users!

(Visited 2,506 times, 1 visits today)

20 Comments (Open | Close)

20 Comments To "The Mystery Behind the Password"

#1 Comment By Michael Smiszek On May 29, 2013 @ 4:46 pm

No one disputes the need for password protection. But it seems that your sister agency in Commerce, BIS, must use a different security standard for SNAP-R passwords. Maintaining a valid SNAP-R password is much easier to deal with.

#2 Comment By Diane Baana On May 30, 2013 @ 9:24 am

I agree with Micheal and others that complain about AES password nightmares. The restrictions and length of the password for AES makes it impossible to remember so we have to write it down and try to keep it in a safe place which isn’t necessarily secure. Changing the password so often is not only a nightmare to find one that is not similar to the other but is so much wasted time and frustration for industry.

#3 Comment By Global Reach VeCoya On May 31, 2013 @ 9:50 am

Good Morning Michael, the complexity of our password requirements ensures our highest standard of data protection. AESDirect follows FISMA security standands. To seek information regarding SNAP-R security standards, please feel free to contact the BIS SNAP-R Help Desk at (202) 482-2227 or you can email [4]. Thank you!

#4 Comment By Maria E Zapata On May 29, 2013 @ 8:51 pm

The constant changes of the password for aes and the extreme difficulty of creating a password has made the system way way way more vulnerable as most people have to write down the new password and by the time they memorize it, it is time to change it again. Passwords to be usefull should be compromised of letters numbers and symbols that the user can remember and should be changed as the person thinks its necessary And/or twice a year.
Having to write down the passwords in order to remember them takes away the effectiveness of having one.
The aes password requirements are extremely annoying and difficult

#5 Comment By Joseph Paul Blough On May 29, 2013 @ 9:15 pm

what about people on disability with no cell phones? I don’t know if this is related to the password thing here, but on facebook, if you don’t have a cell phone to prove who you are, when you get locked out of the login with errors, they delete your facebook, like they did to me last year. so what do you do for people like that, or people who are impared mentally? Just curious.

#6 Comment By Merv W On May 30, 2013 @ 8:32 am

I agree with Maria – the number one security rule I have always been taught is “don’t write down your passwords”. In the past, after having to recover a password, I have been advised by AES (both verbally and in writing) to write down the password. Needing to maintain a written password is nearly the equivalent of having no password.

#7 Comment By Gabriela Palouda-Jones On May 30, 2013 @ 8:43 am

Excellent point! I observed someone spending 20 minutes on creating a new password. I’m not sure about the government but in private industry, we do not have that much time to spend on a 60-day valid password creation!

#8 Comment By RICKY LYNN APPLE On May 30, 2013 @ 10:18 am


#9 Comment By Sheri Parshall On May 30, 2013 @ 11:09 am

Having recently dealt with an expired password, I found it extremely frustrating that a fax was required to fix the problem, which was incredibly frustrating in this electronic age.

#10 Comment By Global Reach VeCoya On May 31, 2013 @ 9:46 am

Good Morning Sheri, the ‘Automated Password Recovery Process’ is now available. Users can enable this feature and answer security questions whenever their password is forgotten or has expired.

#11 Comment By B G H On May 30, 2013 @ 11:17 am

Everything you need to know about why the current requirements are bad. As several others have pointed out, if you have to write it down, it isn’t a good password.

#12 Comment By Donald Denny On May 30, 2013 @ 11:56 am

I have found that if you use an ocean B/L number such as APLU12341234, this works. I can’t remember if I may have used a – (dash) as well.
You can also use a phone number with a dash or also put a letter in between your numbers.

#13 Comment By Roy On May 30, 2013 @ 12:04 pm

Good luck finding a password on my desk!
I’d suggest you don’t over think the password. Just use your keyboard and remember a pattern. Start or end with a Cap and special caricature.
I like to make mine really long but easy to type so a casual observer thinks I’m smart.

#14 Comment By Kevin McDermott On May 30, 2013 @ 12:25 pm

All of you are making password creation more difficult than it really is. Google strong password and you will find many secure websites that will create a 12 character password that satisfies the AES requirement. Random.org will create a list of passwords that you can save as a text file. Sent by SSL, using random noise as the algorithim. Five minutes and you can have a list of 20 passwords and you are good for over 3 years. Create a zip file that requires a password for access, use a password of your liking, include the password text file, and drop it on your desktop. Easy access, copy and paste into AES, and more secure than writing down a password on paper.

#15 Comment By Rosie Ramirez On May 30, 2013 @ 5:33 pm

I agree .. To me this is a nightmare.
I think they should have an effective change and of course easy.

#16 Comment By Karin On May 31, 2013 @ 5:46 pm

I find it helpful to take an ordinary (‘dictionary’) word and replace some of the letters with ‘special’ characters, for example Pa$$word

As an infrequent exporter, I have trouble remembering to sign-on every 30 days, and re-set password every 60 days.

#17 Comment By Cheryl On June 17, 2013 @ 11:33 am

I use the first letter of song lyrics minus vowels + a number…. works like a charm. So for example “Hwbtsh27yghtphnbb” is clearly a John Denver tune from way back in the day “He was born in the summer of his 27th year, going home to a place he’d never been before.” Keeps me from having to write it down, and I get an earworm every time I need to log into AES. (And lest you judge me, I’m not limited to the mellow sounds of the 70s, k?)

A friend of mine uses Bible Verses. Her bonus is it helps her to learn them.

#18 Comment By Medicare Preventive visit On June 19, 2013 @ 9:39 am

That’s good one post I appreciate you for this.
According my perception it’s quite necessary to protect the password because a lot of privacy is needed to save. If you don’t do these than your privacy will not be save no longer.
Google strong password and you will find many secure websites from there to give protection.

#19 Comment By Lee On February 3, 2014 @ 4:29 pm

I was trying to change my 60-day PW but system keeps saying to use passwords that have not been used. I created one and another and another and another but system response is the same –what’s going on?

#20 Comment By Steve On April 15, 2014 @ 1:42 pm

It is easier and less complicated to get into TSA homeland security websites which also change every 60 days. The process for AES passwords is way out of line and borderline ridiculous and whoever created the process doesn’t operate in the real world.

Article printed from Global Reach Blog: http://globalreach.blogs.census.gov

URL to article: http://globalreach.blogs.census.gov/2013/05/29/the-mystery-behind-the-password/

URLs in this post:

[1] Image: http://globalreach.blogs.census.gov/files/2013/05/1609398511.jpg

[2] Required Security Controls for Census Bureau Information Systems: http://cww.census.gov/dir/pco/policy/ppm/docs/Required%20Security%20Controls%20for%20Census%20Bureau%20Information%20Systems%20V1.0_Oct%202012.pdf

[3] Title III of the E-Government Act of 2002: http://csrc.nist.gov/drivers/documents/HR2458-final.pdf

[4] : mailto:SNAPR@bis.doc.gov