Solved

Changing password every 60 days is a terrible policy

T
Userlevel 2

I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know that changing your new secured/selected password to something new randomly causes more trouble than its worth. User can't remember these new things every 60 days if you create a secure combination for your password.

I don't log in to t-mobile every day to see/change things. If you cannot secure my password in the first place, it's not our faults. Don't force us to change ours to cover your problem.

icon

Best answer by tmo_marissa 31 May 2018, 18:28

View original

33 replies

captcoolhand
Userlevel 2

I have to agree! It's plain downright pathetic! The passcode is the same way. Everytime, I call now with an issue, I need a text sent to me because my so-called New Code doesn't work. This is BS! And here's the sad part. If I found or stoled a phone and told ya, I didn't have my pass-code, T-mobile will send it to ya. right there while on the phone, they helped ya break into someone account. Poor security!

T
Userlevel 2

The system did not give any reason to force me to change password. It just said my password expired and I need to change it. I haven't logged in for a while, at least 3-4 months so I don't know how long it is. The password change page required a new complex - no previous pwd, etc.. - AND stated very clear that you have to change your password every 60 days. Go change password yourself to see.

I want to get back to use my old password that I can remember. Tell your IT department that we ARE NOT your IT users.

S
Userlevel 1

Just because they don't say it's their policy doesn't mean it isn't.  I've been FORCED to change my password several times this year.

T
Userlevel 2

No, it's not coming from inside your profile account AFTER you logged in. It asked me to change my pwd after the login screen. That pwd change screen is not one of the above.

M
Userlevel 2

I am totally annoyed (and frustrated) at the way Tmobile handles their password resets.  Although I understand the need to change passwords occasionally, it is ridiculous to have to change them every 60 days.  To make matters worse, we are not given any notice or warning.  I wanted to log in a pay my bill today and was not allowed to access my account without "changing" my password.  But of course, it wasn't that simple.  No, I had to have them send me a verification code first.   That totally annoys me.  So I had them send me an email.  The email I received said "Forget your T‑Mobile ID password? We hate when that happens, but it's an easy fix. Just click the button below to create a new one:"  Receiving a message like that when I forgot my password it great but in this instance it took me beyond annoyance to anger because I didn't forget my password.  Nor did I want to change it.  Rather, they FORCED me to change it.  Most places (that don't wish to cause their customers total frustration) will at least allow you to log in with your credentials then take you to a password update page so they can change it right away rather than having to go through the whole verification process.  Again, I do understand the reasoning and appreciate Tmobiles commitment to keeping our accounts safe but angering your customers by forcing them to jump through multiple hoops without any forewarning is not very nice.  Why couldn't I be given a heads up?  What about a warning letting me know that my password was about to expire or an option to delay changing it but letting me know that I would need to change it within x numbers of days or something.   Instead, rather than being able to quickly log on to pay my bill I've had to spend several minutes dealing with this whole password mess. To add insult to injury, they apparently changed their password parameters so that the "special character" that I have been using is no longer allowed.  Then (in my rush to get this over with) I accidentally hit the caps lock button, so my new password is in caps (I think), which I don't want.  I tried to change it again (to non-caps) and the website wouldn't let me change my password again.  So, it appears that we are not allowed to change our passwords when we want to but are forced to change it when they decide they want us to without any forewarning, at the most inconvenient time and in the most annoying way possible.  Gee, thanks Tmobile.  I couldn't even post anything to these discussion boards without first verifying my account.   Why can't I log in with my current password and change it from there? 

M

This policy:

- increases the friction for users to pay their bills (brilliant business move t-mobile...)

- is super insecure

- is frustrating and annoying (Project Fi looks better every day)

Please consider hiring a more knowledgeable security expert to make these policy decisions.

S
Userlevel 1

You are spot on with this reply.  Tmobile has an extremely frustrating password process.  You'd think that since they aren't the best service in terms of quality, they'd make up for it in the way they treat their customers.

B
Userlevel 1

the worst part about this that there's comment after comment with people saying their being asked to change their passwords multiple times in a year, and this isn't the only forum I've seen it. and the customer service response seems to be nah-ah. At some point you'd think they'd say "hmmmm we've received multiple complaints that we are forcing passwords changes every few months, maybe we have an issue" but not t-mobile.

N

I have been forced to change my "my t-mobile" password twice this year, six months apart, June 2018 and today. I can show you the confirmation emails. Each time the system said it was because my password was "too old". It was not by choice. Also, the list of acceptable password characters is too short.

M

I also have to change my password every 2 months. So now I can't ever remember my password. This is really aggravating, and it doesn't make my account more safe. Plus, I share the security concern. My account is easily hack-able simply because if they have my phone, they can have a temporary password sent directly to my phone. How is this secure???

B
Userlevel 1

This is a load of crap, there's NO WAY it's been a year since you made me change my password. I've had to change it 3 times this year. My phone needs to be replaced so I think it's time I start shopping around for a new service provider. It's bad enough you jackasses are making me change my password every few months but to have your reps come on hear and lie about the frequency is just too much. Like we aren't going to know we've had to change are passwords at least 3 times in 2018 alone. pathetic.

M

T Mobile. There is clearly a customer demand that you change this policy. Why don't you let the customer choose when to change their own password, and what password they wish to use? If we want to use a previously used password, LET US! We are paying customers and we want choices that suit our needs. Or perhaps it's time to make a choice on what phone service we will be using in the future.

reukiodo

If you want to reuse a previous password, you'll need to change your password five times, then change it to your previous password on the sixth change. T-Mobile stores the past five passwords, and doesn't allow you to reuse any of them.


This is actually the best answer to work-around Tmo’s broken password requirements. Yes, it is a HUGE 15min time-wasting pain-in-the-arse. At least you get to keep YOUR password instead of inventing new ones everything they decide you need to.

S

Marissa, I appreciate you trying to troubleshoot this issue but I think you’re going the wrong way on this matter.

The issue is when a user hasn’t changed their password in many months, the system forces the user to change their password upon logging in. So your screenshots are useless because it’ll only happen after logging in. You probably won’t get a screenshot from us unless someone didn’t change their password yet. Maybe IT should just make an account with an old password and try it for themselves...

This also happened to me (just a normal postpaid customer) and I must admit that I haven‘t changed my password since I joined T-Mobile. Forcing to change an old password at a government level may be reasonable but at a services/utilities level(?), it maybe a bit overkill and a nuisance like the other original poster is getting at.

B

If you want to reuse a previous password, you'll need to change your password five times, then change it to your previous password on the sixth change. T-Mobile stores the past five passwords, and doesn't allow you to reuse any of them.

captcoolhand
Userlevel 2

I think it's a bunch of BullSh*t if you ask me. what do i care if someone hacks my Tmobile account?? Hopefully, they pay the bill because I don't see them getting much of anything else. Not Like I'm responsible either.

I'm just tired of being asked to change my password, then the very next time I try to log in, it tells me my password is incorrect. Then, i have to go through the steps to change it, but tells me I can't use the password I used before when it just told me my password was incorrect????? wtf! (How do i go from wrong Password to, Oh, you cant use the same password) honestly, don't think you are protecting me, but themselves. Please leave my password alone!

C

@tmo_marissa something with your process is broken then, because I’m being prompted to change my password every few months as well. I work in IT, and I frequently see people saying that “this should happen” - but there’s a huge difference between should and does (something that is regularly seen where I work). So maybe your contact says that passwords should only have to be reset once a year, but what’s actually happening is different, and it’s wayyy less than a year. And it seems that in the two years that T-Mobile has known about this break in your process, nothing has been done to address it.

 

That said, I don’t think you should require your users to change their passwords period, unless you have reason to believe that their account was compromised. Employees, sure, but your customers are not your employees. I, for one, don’t need anyone holding my hand to manage my passwords. I know how to keep my accounts secure, and your policy requiring password changes every few months doesn’t keep my account more secure, it’s just a pain in my ass.

P

If you want to reuse a previous password, you'll need to change your password five times, then change it to your previous password on the sixth change. T-Mobile stores the past five passwords, and doesn't allow you to reuse any of them.


This is actually the best answer to work-around Tmo’s broken password requirements. Yes, it is a HUGE 15min time-wasting pain-in-the-arse. At least you get to keep YOUR password instead of inventing new ones everything they decide you need to.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

D

I'm so sick of changing password every 2 months. I am ready to change providers. This is very frustrating.

M

Hey, @timph​! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be required once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.

 

 @scott523​, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.


Reset your T-Mobile ID password has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!


Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.

The correct forced password change interval is *never*.  This is a bad, bad policy and I can’t believe T-Mobile is sticking to its guns on this.  Changing a password that is not known to be compromised does NOT improve security, and on the contrary, only forces frustrated users to choose simpler, less secure passwords--or even worse, re-use them.

S

I think it’s been 18 months since I joined the TMO. I pretty much joined after the T-Mobile One plan arrived.

I can’t remember 100% if I saw the 60-day rule when being forced to change the password on the T-Mobile app on my iPhone X but that could be legitimate. I didn’t really think of looking for it since TMO have come under fire on account security this month. I guess I’ll find out in 50 days. I’ve also noticed the new password system doesn’t allow recycling old passwords, which is even annoying. I may have to come up with something like “Tmobile1*” then “Tmobile2*” in the future. 

magentatechie
Rank
Userlevel 4
Badge +10

This is not T-Mobile policy.  They require the passwords to be updated annually, not every 60 days.

Reset your T-Mobile ID password

P

I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know that changing your new secured/selected password to something new randomly causes more trouble than its worth. User can't remember these new things every 60 days if you create a secure combination for your password.

I don't log in to t-mobile every day to see/change things. If you cannot secure my password in the first place, it's not our faults. Don't force us to change ours to cover your problem.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

P

Just because they don't say it's their policy doesn't mean it isn't.  I've been FORCED to change my password several times this year.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

P

Hey, folks. Thanks for taking the time to share your feedback here.

 

 @timph​ -- can you tell me a little more about what you're seeing? Does the system tell you that your password is more than 60 days old and needs to be updated? I wasn't able to find a call-out about a 60 day expiration and if that's happening, we're happy to forward your concerns and would like to get it added to our documentation in the interim -- but right now I don't see anything internally or externally calling out that requirement. Personally, I have been using the same MyTMO password for at least six months! 😕

 

 @captcoolhand​ -- thanks for bringing this up. I know that you can change your PIN/Passcode via MyTMO as well -- Set up your Customer PIN/Passcode -- but I can see your point about the one-time PIN that someone might verify if they picked up your phone and also knew your name. I'll pass that feedback along as well, thank you.

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

Reply


New badge winners

Show all badges
Terms & Conditions