Solved

Changing password every 60 days is a terrible policy

T
Userlevel 2

I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know that changing your new secured/selected password to something new randomly causes more trouble than its worth. User can't remember these new things every 60 days if you create a secure combination for your password.

I don't log in to t-mobile every day to see/change things. If you cannot secure my password in the first place, it's not our faults. Don't force us to change ours to cover your problem.

icon

Best answer by tmo_marissa 31 May 2018, 18:28

View original

33 replies

C

@tmo_marissa something with your process is broken then, because I’m being prompted to change my password every few months as well. I work in IT, and I frequently see people saying that “this should happen” - but there’s a huge difference between should and does (something that is regularly seen where I work). So maybe your contact says that passwords should only have to be reset once a year, but what’s actually happening is different, and it’s wayyy less than a year. And it seems that in the two years that T-Mobile has known about this break in your process, nothing has been done to address it.

 

That said, I don’t think you should require your users to change their passwords period, unless you have reason to believe that their account was compromised. Employees, sure, but your customers are not your employees. I, for one, don’t need anyone holding my hand to manage my passwords. I know how to keep my accounts secure, and your policy requiring password changes every few months doesn’t keep my account more secure, it’s just a pain in my ass.

reukiodo

If you want to reuse a previous password, you'll need to change your password five times, then change it to your previous password on the sixth change. T-Mobile stores the past five passwords, and doesn't allow you to reuse any of them.


This is actually the best answer to work-around Tmo’s broken password requirements. Yes, it is a HUGE 15min time-wasting pain-in-the-arse. At least you get to keep YOUR password instead of inventing new ones everything they decide you need to.

P

I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know that changing your new secured/selected password to something new randomly causes more trouble than its worth. User can't remember these new things every 60 days if you create a secure combination for your password.

I don't log in to t-mobile every day to see/change things. If you cannot secure my password in the first place, it's not our faults. Don't force us to change ours to cover your problem.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

P

Just because they don't say it's their policy doesn't mean it isn't.  I've been FORCED to change my password several times this year.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

P

Hey, folks. Thanks for taking the time to share your feedback here.

 

 @timph​ -- can you tell me a little more about what you're seeing? Does the system tell you that your password is more than 60 days old and needs to be updated? I wasn't able to find a call-out about a 60 day expiration and if that's happening, we're happy to forward your concerns and would like to get it added to our documentation in the interim -- but right now I don't see anything internally or externally calling out that requirement. Personally, I have been using the same MyTMO password for at least six months! 😕

 

 @captcoolhand​ -- thanks for bringing this up. I know that you can change your PIN/Passcode via MyTMO as well -- Set up your Customer PIN/Passcode -- but I can see your point about the one-time PIN that someone might verify if they picked up your phone and also knew your name. I'll pass that feedback along as well, thank you.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

P

If you want to reuse a previous password, you'll need to change your password five times, then change it to your previous password on the sixth change. T-Mobile stores the past five passwords, and doesn't allow you to reuse any of them.


This is actually the best answer to work-around Tmo’s broken password requirements. Yes, it is a HUGE 15min time-wasting pain-in-the-arse. At least you get to keep YOUR password instead of inventing new ones everything they decide you need to.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

D

I'm so sick of changing password every 2 months. I am ready to change providers. This is very frustrating.

M

Hey, @timph​! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be required once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.

 

 @scott523​, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.


Reset your T-Mobile ID password has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!


Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.

The correct forced password change interval is *never*.  This is a bad, bad policy and I can’t believe T-Mobile is sticking to its guns on this.  Changing a password that is not known to be compromised does NOT improve security, and on the contrary, only forces frustrated users to choose simpler, less secure passwords--or even worse, re-use them.

Reply


New badge winners

  • Curious George
    Elondenhas earned the badge Curious George
  • Curious George
    Billy 9882has earned the badge Curious George
  • Curious George
    Channyhas earned the badge Curious George
  • Curious George
    Karlilehhas earned the badge Curious George
  • Curious George
    Nicosia73has earned the badge Curious George
Show all badges
Terms & Conditions