Password Information

• How to Change
• Expiration Info
• Password Rules
• Examples
• Policies

How to Change Your Password

To change your password manually before the expiration date:

1. You must be logged into the HCS at https://commerce.health.state.ny.us/
2. Click on My Content in the top right menu
3. Click on Change My Password

If you have forgotten your password, please use the self-serve Forgot Your Password? feature on the logon page. If you need further assistance, please call the Commerce Accounts Management Unit (CAMU) at 1-866-529-1890 option 1. Please have your HCS PIN or NYS drivers license handy for identification verification.

NYSDOH employees - Issues with your HCS password MUST go to https://password.ny.gov/PMUser/.

Expiration Information

Passwords:

Expire - every 365 days (yearly). You have up to 24 months to change your expired password. After that, your account is disabled and you will need a new password.

Disable - after 24 months of inactivity. You must contact the Commerce Accounts Management Unit (CAMU) at 1-866-529-1890 option 1. Please have your HCS PIN or NYS Drivers License handy for identification verification.

Rules for Creating a New Password

The password must:

• Must be at least 8 characters long
• Must have at least 5 letters
• Must not match any of the 50 previous passwords
• Must not contain your email, first name, last name or full name in your password
• Must differ from the old password by at least 3 characters. For comparison purposes, an upper case letter and its corresponding lower case letter are equivalent.
• Must have either 2 numbers, 2 special characters or 1 number and 1 special character.
  Please Note: The following special characters are not allowed: * ' " \ # @ ,

Examples of good passwords:

Works4NYSsHCS1

This is considered a passphrase and meets the HCS requirements. Turn your wording into a passphrase by substituting letters for numbers, E for 3, O for 0.

Tqbfrf213

Turn your phrase into an acronym. The above password is the first letter of the following words "The quick brown fox runs fast" along with the month and year.

Examples of bad passwords and why they are bad

Never use the password "password". That would be the number one password a hacker would try to use. Here are other bad password examples:

111111

This is fairly apparent. The password will not work because it is all numbers. The password must contain at least five (5) alphabetic characters and either 2 numbers, 2 special characters or 1 number and 1 special character.

David31

This password is your name and age. It follows all the rules, BUT anyone could guess what it is. If you enter david31, it will not work because the server is looking for that upper case "D". It is never recommended that you use your name in your password since it can easily be matched. Try breaking it up with numbers or special characters. (ie da31vid).

golfer18

Avoid words that can be found in a dictionary.

Password Site Policies

Violation of the security and use policy (e.g. sharing your account userid and password with someone else) will result in the temporary suspension of your account privileges until required remedial action is taken by executives at your organization.

Repeat offenses may result in the permanent removal of the account.

Contacting the Commerce Accounts Management Unit with someone else's account information will result in the account being disabled due to a security breach.