Password Requirements

NOTE:  eRA users are currently being transitioned to require the use of two-factor authentication (Login.gov or InCommon Federated accounts that support NIH’s two-factor authentication standards) instead of using eRA account credentials. See https://www.era.nih.gov/faqs.htm#XXIV. However, eRA users still possess an eRA account username and password (separate from their Login.gov or InCommon Federated account credentials) and must continue to change the eRA account password at least once a year.

The following list highlights the password requirements for eRA credentials:

  • Must be at least fifteen (15) characters long
  • Case sensitive.
  • May contain spaces.
  • Should not include your name, address, phone number, Social Security number, date of birth, HHS ID, etc.
  • Does not need to contain numbers, capital letters, or special characters.
  • Cannot contain weak or overused terms such as "password."
  • Should not match current or past passwords from work or personal accounts.
  • Cannot reuse the previous ten passwords.
  • Must be changed once per year.
  • Accounts are locked after 5 consecutive failed login attempts within a 120-minute period. The lockout will last for 30 minutes or until the account is reset by an authorized administrator. Users can click the Forgot Password/Unlock Account? link under the login fields of the Commons homepage (https://public.era.nih.gov/commons) to unlock their account(s). A temporary password will be forwarded to the account owner's email address and is active for only 48 hours.
  • Contact the eRA Service Desk if you need help with passwords.

Read more information on the eRA Password Policy.

Policy: http://www.era.nih.gov/files/NIH_eRA_Password_Policy.pdf.

When using the Login.gov method to access eRA Commons, which includes two-factor authentication, use the following link to learn about Login.gov password management and requirements. Additional links on this page address different aspects of Login.gov passwords:

https://www.login.gov/help/changing-settings/change-my-password/

For further information about using Login.gov or InCommon Federated accounts, please see the following:

Two-Factor Authentication: Access eRA Modules via Login.gov

Two-Factor Authentication: Access eRA Modules via an InCommon Federated Account

• FAQs: https://www.era.nih.gov/faqs.htm#XXIV

NOTE: Temporary passwords, sent to the user via email, are only valid for 48 hours and must be changed to a permanent password of the user’s choosing within that time period.