An official website of the United States government.

This is not the current EPA website. To navigate to the current EPA website, please go to This website is historical material reflecting the EPA website as it existed on January 19, 2021. This website is no longer updated and links to external websites and some internal pages may not work. More information »

EPA IT Password Security Policies

AQS is being required to implement new EPA IT Password Security Policies. AQS will deploy the changes outlined below to comply with these new polices on Tuesday, August 1, 2017 at 7:00AM. Specific rules in this policy require the following:

  1. Passwords shall be at least twelve (12) non-blank characters long.
  2. All passwords, including initial passwords, shall be composed of a minimum of one character from at least three (3) of the following four (4) categories:
    1. English uppercase letters (e.g. A-Z);
    2. English lowercase letters (e.g. a-z);
    3. Non-alphanumeric special characters (e.g. !, #, $, %, etc); and
    4. Base 10 digits/numerals (e.g. 0-9).
  3. Passwords shall not contain any of the following:
    1. Dictionary words (e.g. computer, work) or common names (e.g. Betty, Fred, Rover);
    2. Portions of associated account names (e.g. user ID, login name);
    3. Consecutive character strings (e.g. abcdef, 12345);
    4. Simple keyboard patterns (e.g. QWERTY, asdfgh); and
    5. Generic passwords (i.e. passwords consisting of a variation of the word "password" [e.g. Passw0rd1]).
  4. At least 50% of the characters shall be changed when new passwords are created.
  5. Passwords may not be reused for 24 generations.

Additionally, the new EPA policy requires passwords to have a minimum lifetime (i.e. how often they expire) of 60 days.