While eRA has been transitioning users of eRA Commons, Commons Mobile, ASSIST and IAR to two-factor authentication using either Login.gov or an InCommon Federated Account that supports NIH’s two-factor authentication standards, users will still need to maintain their eRA Commons username and password for the time being.
So eRA account credential maintenance will continue, at least for now, but not to worry, gone are the days of having to continually change your password every 120 days. NIH is moving from passwords to passphrases — a set of random words or a sentence at least 15 characters long — effective sometime in November (date to be confirmed). Passphrases will only need to be updated annually.
This change is part of a new NIH password policy designed to make passwords easy for users to remember but hard for others to guess. The new policy aims to improve user experience and enhance cybersecurity.
Once this new change is in effect, Commons users will be prompted to change their password to a passphrase when trying user credentials with an expired or forgotten password. Users are advised to avoid words that can be easily guessed, such as family names.