Solved

Forced to Change My Password...


Userlevel 1

  I was unable to login to My T-Mobile just now to pay my bill, unless I changed my password... It said my password was "getting old."

 

  I went ahead and did it (just adding +1 the the number already at the end of my password).  My question is: HOW OFTEN am I going to be forced to go through this stupid procedure?  I've been with T-Mobile now for 20 years, and I've never had problems until about a year ago (since updating the website last summer I consistently cannot login using any browser on my home PC, so I am forced to pay in-store or (recently) I've started paying with my phone's browser - something I hate doing because I can pay all my other bills from my more secure PC)... now, it looks like I'm going to have to start putting up with this 'periodically changing my password' nonsense!

 

  I am very methodical with my passwords, I like my passwords, I do not give out my passwords, and I have never had an account hacked or a password stolen.  The only thing this routine accomplishes is really annoying me as a customer, as I make a one-key variation to my current password every six months (or every year, or however often we'll be forced to do this).  And I know I can't be the only one who feels this way.  Every person I've ever talked to who has had to do this sort of thing for work or whatnot has expressed similar frustration over this procedure.  In fact, more often than not it simply causes users to forget their current password since they've been forced to change it so many times (this has happened to my wife several times for work).

 

  So please, is there a way to opt-out of having to reset my password on a regular basis?  All I want to do is PAY MY BILL every month without a lot of hassle (I've already acquiesced to using my phone's Firefox rather than my PC - can I just keep my password at least).

 

- Keith -

icon

Best answer by tmo_mike_c 2 July 2018, 22:13

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll also save you a trip to the store.

View original

This topic has been closed for comments

48 replies

Please reconsider forcing your users to change their passwords,

This does not improve security, and only annoys your customers:

 

Also, NIST updated their guidelines to drop these pseudo-security proposals.


Hey Tmobile DONKEYS!

 

It’s been over TWO YEARS since NIST (and we all know how up to date the government is on cybersecurity HAHAHAHAHA!) pulled their heads out and acknowledged the obvious fact that pw changes DON’T DO A SINGLE THING for security.

 

WAKE UP, and please, if you want to be in the tech business….then be in the tech business!

 

Losers.

Userlevel 7
Badge +13

All I did was add two number at the end of my password and just go from 10 to 20  and so on when I have to change it.

This forced password change is beyond infuriating, as there is no way to bypass it and just get down to the reason you visited the website in the first place. 

Even if the “memory” of the website is only 6 passwords, that requires me to remember 6 passwords just to adhere to paying my bill to t-mobile.

 

As far as security risks go, I’m not terribly worried about someone paying my cellphone bill for me.

 

Please let me assess my own risks and manage them on my own as an adult.

 

Less than a motivating reason to stay with t-mobile, especially in conjunction with mediocre service.  

A while ago, T-Mobile was caught storing private and confidential customer information (passwords) in plain text. I’m not sure how a company that claims to be current with technology let such a simple oversight slip through the cracks (seriously this is like customer information management 101), but they did, and per usual, fixed it without experiencing any consequences for such an oversight. 

 

Fast forward to today. Multiple agencies and groups have stated that requiring end users to change their password periodically is NOT recommended anymore as it does nothing for additional security. So it is no surprise that T-Mobile failed to stay current with security guidelines once again, and is requiring users to change passwords. 

 

 

NIST Publication 800-63b states:

 

““Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.””

 

Source: https://pages.nist.gov/800-63-3/sp800-63b.html#memsecretver

section 5.1.1.2 paragraph 9

 

I strongly urge anybody that has trusted T-Mobile with their personal information such as passwords, addresses, SSNs, etc strongly reconsider that trust, as they have shown once again a complete disregard to updated security practices. 

 

Furthermore, if T-Mobile DOES claim they are following current expert cyber security recommendations, then I trust they ARE following that rule. That means every time they are asking you to change your password, they are also telling you that they have been compromised.

 

I expect them to be silent on this issue, and continue disregarding customer’s security, instead taking a “Security Theater” approach.

 

Hopefully someone from T-Mobile will bring this security issue to the attention of the folks that can correct it  

 

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

 

Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll

 

 

 

Although this post is a year old I feel the need to add that AFTER ONLY 6 MONTHS w TMobile I am being forced to change my password.......on the app. 

Same as the 1st person, came on to pay bill and got the "password is getting old" message. I tried to get around it by restarting but nope, I couldn't even reply HERE until changing it.  There is noooooo way  I'm going to change the password every 6 months. 

 

Nobody can remember THAT many passwords? 

Nor should they be forced to. 

Most ppl have maybe 3 that they switch around. 

 

So someone that works for TMobile PLEASE tell me

1. There is a way to opt out.

OR

2. That this will NOT happen every 6 months. 

 

Personally, I don't think it should be  anyones business how we decide to deal with the security of our own accounts. 🤷🏼‍♀️  And I am 100% certain that others are not okay w this either. I don't blame the  Tmobile employees......they didn't make this a requirement. I blame the people in the higher ups. But either way-

it sucks. 

 

I too am extremely disappointing that T-Mobile forces us to change our passwords. I have been with T-Mobile for over 15 years and I am on the verge of leaving them. They are not even on 5G yet. They make too many promises that they can't live up to. Any company that does not allow their customers to opt-out of something that is this annoying is the last straw. My $135 a month will be going to a different carrier shortly! Bye Bye & Good Riddance T-Mobile...

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

I get it, but as someone who works in cybersecurity, please let those who made this call to force us to change our passwords, they should know it is not necessary. There is a new NIST standard SP 800-63B, changing passwords on a timed rotation does not increase password security.

 

These are top changes to password security guidelines

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

 

Digital Identity Guidelines

https://pages.nist.gov/800-63-3/sp800-63b.html

 

A good quick reference

Understanding the New NIST Guidelines for Password Security

https://www.infracore.net/blog/understanding-the-new-nist-guidelines-for-password-security

 

It would be awesome if you adopted the newer security spec.

Thank you!

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

No, this was the first time; I only worry that now that T-Mobile has started this practice, I will be required to change my password every six to twelve months - as is often the case when I.T. departments decide to start requiring this of their users.

Hey T-Mobile, here's a link to the FTC explaining why password expiration is stupid. Can you guys get your heads in the game?

 

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

TMOBILE Drives it's customers MAD with frequent password changes because someone in a suit is going to get a Big bonus for increasing the percentage of customers who enroll in autopay where log in isn't necessary…

Change my mind! Lol

I too hate being forced to do anything including changing my password. Any policy of forcing users to do something can be turned around to be explained as beneficial to the user. But if I don’t like it, I don’t like it, and I am willing to accept the risks and hassles in case someone steals my password within 6 months or a year ago. In fact, my most secret passwords have never been stolen for the 20+ years I’ve been using them. With that said, I had to change my password before being able to leave this feedback. In fact, I had to send verification codes to my phone/email three times before being able to change my password as the process must have confused itself into a loop. The reason I came to Tmobile from AT&T was because of the policy of being the UnCarrier and allowing for greater customer satisfaction. That in my book includes not forcing things upon us such as changing passwords.

 I was forced today to change my password as well with no workaround. The response we can not change it so that you can opt out. I use a VPN for security. I do not believe you should be forced to change your password. A reminder is okay or if they suspicious of unauthorized use they can send me a code via email.

I hate this too! I have few passwords in different combinations and today I was forced to change my password again! That’s even more than just annoying. It doesn’t accept any of my password as they already have been used. It’s just cell phone web site! Not the Pentagon database :rage:

As a result I can’t open T-mobile web site when I’m not home as I NEVER REMEMBER the current password and if I enter it incorrectly few times I’ll be again forced to change it. Please stop this stupide practice! 

We are for years with T-mobile and it’s such a negative thing which can be that last straw 

 

Badge

 

 
 
 

 

 
 
 
 

I believe it is the incompetence of T-mobile’s IT team to make their website secure, because they can not do the standard in the industry: remember the usual devices their users use to login, and ask for security code through email or text if suspicious devices are found. To cover their incompetence, they decided to load the burden to their users by forcing them to change password every year or so. And ironically, as many have pointed out, their strategy actually brings much more vulnerability. But their IT team is off the hook if security breach happens: it’s the users that did not take care of their passwords!

Well, obviously, they don’t even check for fraud. They just make people change passwords. I don’t think that my password wasn’t secure. I have never had anybody hack into my account. I don’t think that there is such thing as an “old password.” T-Mobile just told me that they only change passwords for other reasons when  I called them and they had no idea about the reason that the website had mentioned. They were clueless. They insisted that they only changed passwords when customers had forgotten their passwords. Their customer support needs to get their act together and monitor this forum, and fix this website so that customers can choose when to change their passwords. When there isn’t fraud, people should not be forced to change their passwords. This is utterly ridiculous. If there is suspected fraud, or customers forget their passwords, that is another story. “Your password is too old” is a ridiculous excuse. Passwords do not get too old. I may have seen that elsewhere, but I am not sure. Companies that say that, are just making excuses. I do not need to change my password just because I have used it a long time. 

I have had to do this every few years, and my password has been secure. I don’t like this idea as most companies only do this when there is suspected fraud or a suspected hacker. It is stupid to make users change their passwords just because they use their account for a long time. I vote with others to change this policy. I have never had anybody else hack into my account in the many years that I have used T-Mobile. Stop making us change our passwords just because we have used it for years! If we forget it, or there is suspected fraud, that is another story.


I believe it is every year. I have been force to change more than 5 times already. Now I have used up my own birthday, my wife’s birthday, my two daughters’ birthday. I don’t want to have another kid only because I need another password. LOL

I believe it is the incompetence of T-mobile’s IT team to make their website secure, because they can not do the standard in the industry: remember the usual devices their users use to login, and ask for security code through email or text if suspicious devices are found. To cover their incompetence, they decided to load the burden to their users by forcing them to change password every year or so. And ironically, as many have pointed out, their strategy actually brings much more vulnerability. But their IT team is off the hook if security breach happens: it’s the users that did not take care of their passwords!

Badge

I have had to do this every few years, and my password has been secure. I don’t like this idea as most companies only do this when there is suspected fraud or a suspected hacker. It is stupid to make users change their passwords just because they use their account for a long time. I vote with others to change this policy. I have never had anybody else hack into my account in the many years that I have used T-Mobile. Stop making us change our passwords just because we have used it for years! If we forget it, or there is suspected fraud, that is another story.

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

 

Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll also save you a trip to the store.

this doesnt protect anything and it is very annoying to have to do if im gonna have to keep doung this i will switch company just for this annoying garbage please change that i dont ever want to change my password and never been hacked if i want to keep my fkn password for over 10 years thats my fkn problem if someone gets my password then thats my problem what if i forced you to kiss my knuckle 

Badge

This really is annoying and Tmobile doesn’t give a shit. I’ve had tmobile every since they bought out Suncom. Forcing a user to change their passwords is just another link on the leash of power over us. I just added to the end of my password. And saying “please change your password” in your notice is . It implies you have a choice. How about changing that to bend over and take it!

While having to reset my password in order to comment here was a little annoying, I love all the information you can get about TMobile users.

Count me also being forced to reset my ‘old’ pw just to like this comment! Security! Ha!

https://community.t-mobile.com/accounts-services-4/changing-password-every-60-days-is-a-terrible-policy-8499

You can work around Tmo’s glaring issue by changing your pw 6 times, but it’ll take that many SMS and re-login and ~15min of hassle just to get your pw back, but at least it CAN be done.

I really hate this - do away with it at once.

Yet again here is evidence that T-Mobile doesn’t really care to make policies that protect users and user experience. This is about liability and compromise on resources to build proper security measures. Why is there no proper 2FA? The password change is an annoyance for users, but tolerable for T-mobile so that in a class action courtroom they would be able to claim they had strict security measures. They make themselves less vulnerable in a courtroom by shifting that vulnerability to their users.

Userlevel 1

It’s funny because now TMobile is now the easiest account to hack. 

Post it notes with the new forced password (since they cannot be rotated) are everywhere. I see them on peoples computers at work, I see them in files on their phones, I see them at every home office and desk. 

Thank you TMobile for making hacking your customers easier!!! A little social engineering (for those interested, simply look through your friends photos of them at their desk GAURANTEED they have photos with their passwords for every company like TMobile that still forces a regular password resets! LOL)

While having to reset my password in order to comment here was a little annoying, I love all the information you can get about TMobile users. 

Long live horrible security teams!

This is so annoying i don't know what they're getting out of this, we can't choose our old password and we have to keep creating new passwords that we can't even remember. If they ask me to change the password one more time i promise i will cancel all my 10 lines and find a different provider. 

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

 

Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll

 

 

 

Although this post is a year old I feel the need to add that AFTER ONLY 6 MONTHS w TMobile I am being forced to change my password.......on the app. 

Same as the 1st person, came on to pay bill and got the "password is getting old" message. I tried to get around it by restarting but nope, I couldn't even reply HERE until changing it.  There is noooooo way  I'm going to change the password every 6 months. 

 

Nobody can remember THAT many passwords? 

Nor should they be forced to. 

Most ppl have maybe 3 that they switch around. 

 

So someone that works for TMobile PLEASE tell me

1. There is a way to opt out.

OR

2. That this will NOT happen every 6 months. 

 

Personally, I don't think it should be  anyones business how we decide to deal with the security of our own accounts. 🤷🏼‍♀️  And I am 100% certain that others are not okay w this either. I don't blame the  Tmobile employees......they didn't make this a requirement. I blame the people in the higher ups. But either way-

it sucks. 

 

I too am extremely disappointing that T-Mobile forces us to change our passwords. I have been with T-Mobile for over 15 years and I am on the verge of leaving them. They are not even on 5G yet. They make too many promises that they can't live up to. Any company that does not allow their customers to opt-out of something that is this annoying is the last straw. My $135 a month will be going to a different carrier shortly! Bye Bye & Good Riddance T-Mobile...

I too will consider moving to a different carrier after 20 plus years with T Mo because of this issue.

There is no justification to say that changing passwords increases security. I thought that T mobile was above such sillyness.

Disappointed.

Just had to change my password for the second time.  I 100% agree.  So much so, that I'm leaving t-mobile because of it. 

The statement that these policies are for user security is false, but even if they were intended to benefit users they fail.

These kinds security processes are only put in place to reduce a company's liability. Certain types of systemic breaches are made less damaging with frequent password changes, but individual user's security is actually reduced. Many studies over decades show that forcing users to change passwords makes individual user's accounts less secure because users will write down their new passwords or forget them resulting in an elevated exposure to unauthorized access and detail of service vulnerabilities (dos attacks are often neglected when evaluating vulnerability). Further, new mechanisms must be put in place to handle user access issues related to frequent password changes that increase the attack surface.

I make it a personal policy to opt out of such incompetent "security features," and if it is not possible to opt out without switching services I switch services... so goodby t-mobile, best of luck.

Userlevel 7
Badge +13

I just started a new job and I'm coming up to my 90 days and

I got a notice to change my password.