Revised: 11/27/2018
Password Information
How to Change Your Password
To change your password manually before the expiration date:
- You must be logged into the HCS at https://commerce.health.state.ny.us/
- Click on My Content in the top right menu
- Click on Change My Password
If you have forgotten your password, please use the self-serve Forgot Your Password? feature on the logon page. If you need further assistance, please call the Commerce Accounts Management Unit (CAMU) at 1-866-529-1890 option 1. Please have your HCS PIN or NYS drivers license handy for identification verification.
NYSDOH employees - Issues with your HCS password MUST go to https://password.ny.gov/PMUser/.
Expiration Information
- Passwords:
- Expire - every 365 days (yearly). You have up to 24 months to change your expired password. After that, your account is disabled and you will need a new password.
- Disable - after 24 months of inactivity. You must contact the Commerce Accounts Management Unit (CAMU) at 1-866-529-1890 option 1. Please have your HCS PIN or NYS Drivers License handy for identification verification.
Rules for Creating a New Password
The password must:
- Must be at least 8 characters long
- Must have at least 5 letters
- Must not match any of the 50 previous passwords
- Must not contain your email, first name, last name or full name in your password
- Must differ from the old password by at least 3 characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
- Must have either 2 numbers, 2 special characters or 1 number and 1 special character.
Please Note: The following special characters are not allowed: * ' " \ # @ ,
Examples of good passwords:
- Works4NYSsHCS1
- This is considered a passphrase and meets the HCS requirements. Turn your
wording into a passphrase by substituting letters for numbers, E for 3, O for 0.
- Tqbfrf213
- Turn your phrase into an acronym. The above password is the first letter
of the following words "The quick brown fox runs fast" along with the month and year.
Examples of bad passwords and why they are bad
Never use the password "password". That would be the number one password a
hacker would try to use. Here are other bad password examples:
- 111111
- This is fairly apparent. The password will not work because it is all
numbers. The password must contain at least five (5) alphabetic characters and either 2 numbers, 2 special characters or 1 number and 1 special character.
- David31
- This password is your name and age. It follows all the rules, BUT anyone
could guess what it is. If you enter david31, it will not work because the
server is looking for that upper case "D". It is never recommended that you
use your name in your password since it can easily be matched. Try breaking it up with numbers or special characters. (ie da31vid).
- golfer18
- Avoid words that can be found in a dictionary.
Password Site Policies
Violation of the security and use policy (e.g. sharing your account userid and password with someone else) will result in the temporary suspension of your account privileges until required remedial action is taken by executives at your organization.
Repeat offenses may result in the permanent removal of the account.
Contacting the Commerce Accounts Management Unit with someone else's account information will result in the account being disabled due to a security breach.