So I’ve been looking at this list every 60 days now for the better of a year.  And every time I need to tweak 1Password so that it will generate a compliant password (exactly 8 characters long – really?). And as obnoxious as the requirements are, it turns out that they have actually omitted one rule that is enforced upon changing your password, namely that the password must begin with a letter of the alphabet.

I suspect folks involved with health care will recognize the requirements.

The list forbidden passwords is also entertaining.  They include many of the 25 Most Popular (and Worst) Passwords as reported by Time magazine, but not all.  Many of the words on the explicitly banned list would be excluded by enforcement of the 8 character requirement.  Nor is the list ordered in any way to make it easy to see if your choice is actually in the list.

Sigh.

Your User Account Password must
  • Be changed at least every 60 days.
  • Be 8 characters long.
  • Contain at least 1 letter and 1 number.
  • Contain at least 1 upper case and 1 lower case letter.
  • Not contain your User ID.
  • Be different from your previous 6 passwords.
  • Not contain 4 consecutive characters from any of your 6 previous passwords.
  • Not Contain Words: 1234, PASSWORD, WELCOME, CMS, HCFA, SYSTEM, MEDICARE, MEDICAID, TEMP, LETMEIN, GOD, SEX, MONEY, QUEST, F20ASYA, RAVENS, REDSKIN, ORIOLES, BULLETS, CAPITOL, MARYLAND, TERPS, DOCTOR, 567890, 12345678, ROOT, BOSSMAN, JANUARY, FEBRUARY, MARCH, APRIL, MAY, JUNE, JULY, AUGUST, SEPTEMBER, OCTOBER, NOVEMBER, DECEMBER, SSA, FIREWALL, CITIC, ADMIN, UNISYS, PWD, SECURITY, 76543210, 43210, 098765, IRAQ, OIS, TMG, INTERNET, INTRANET, EXTRANET, ATT, LOCKHEED