Forced to Change My Password...

Userlevel 1

  I was unable to login to My T-Mobile just now to pay my bill, unless I changed my password... It said my password was "getting old."


  I went ahead and did it (just adding +1 the the number already at the end of my password).  My question is: HOW OFTEN am I going to be forced to go through this stupid procedure?  I've been with T-Mobile now for 20 years, and I've never had problems until about a year ago (since updating the website last summer I consistently cannot login using any browser on my home PC, so I am forced to pay in-store or (recently) I've started paying with my phone's browser - something I hate doing because I can pay all my other bills from my more secure PC)... now, it looks like I'm going to have to start putting up with this 'periodically changing my password' nonsense!


  I am very methodical with my passwords, I like my passwords, I do not give out my passwords, and I have never had an account hacked or a password stolen.  The only thing this routine accomplishes is really annoying me as a customer, as I make a one-key variation to my current password every six months (or every year, or however often we'll be forced to do this).  And I know I can't be the only one who feels this way.  Every person I've ever talked to who has had to do this sort of thing for work or whatnot has expressed similar frustration over this procedure.  In fact, more often than not it simply causes users to forget their current password since they've been forced to change it so many times (this has happened to my wife several times for work).


  So please, is there a way to opt-out of having to reset my password on a regular basis?  All I want to do is PAY MY BILL every month without a lot of hassle (I've already acquiesced to using my phone's Firefox rather than my PC - can I just keep my password at least).


- Keith -


Best answer by tmo_mike_c 2 July 2018, 22:13

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll also save you a trip to the store.

View original

This topic has been closed for comments

48 replies

Userlevel 4

Please reconsider forcing your users to change their passwords,

This does not improve security, and only annoys your customers:

Also, NIST updated their guidelines to drop these pseudo-security proposals.

Userlevel 4

Improved security by forced password expiration is a myth.

Some background reading can be found here and the links referenced on that page.

Userlevel 1

Hey T-Mobile, here's a link to the FTC explaining why password expiration is stupid. Can you guys get your heads in the game?

Userlevel 4

I never log on to my T-mobile account, unless there's a problem.

Today was such a day.

My daughter dropped her phone into the toilet by accident, so I wanted to order her a new SIM card.

This was the sole reason I logged on.

Needless to say, I was forced to change her password, at the worst possible of times.

Luckily, I thought, I can answer security questions so I wouldn't have to acknowledge codes sent by SMS for further authentication.

That said, when I wanted to change the password back to the proper one (I never wanted it to change in the first place),

the only option I was left with was to authenticate myself via SMS.... presumably using the now broken phone.

I tried my luck with the online chat, but that didn't lead anywhere.

Afterwards I tried the "Forgot my password", and luckily and inconsistently enough, there I could authenticate via options beyond SMS again.

But apparently T-Mobile remembers the old passwords and doesn't let its user change them back to their proper origin.

Who on earth designs these pseudo-security systems? It's harassment, plain and simple.

I can just imagine how this process works if someone is forced to change their password in the midst of a busy airport... all in the name of security!

Userlevel 1

We have to stand up to this tyranny of IT forcing us to change the passwords for "our protection".  That is becoming impossible to keep track of and just irritate consumers.

Userlevel 4

magentatechie wrote:

Someone posted here that the website only remembers the last 6 passwords used and reported success with changing the password repeatedly until the site allowed his preferred password after that many attempts. Will it actually work? I'm really not sure, your mileage may vary as T-Mobile may have found a way to eliminate the work-around.

Please keep in mind that the "normal" password change mechanism no longer works for me (as mentioned in my original reply):

It requires the receipt of an SMS (text-message), that does not work, as the phone no longer works.

Weirdly enough though, I can change my password by pretending to "Forgot my password" mechanism:

There I am offered more options to authenticate beyond SMS: Answering pre-selected questions and e-mail as well.

The reason I find this weird is that the entry bar of authentication is lower for someone that does not know the password (more choices for "Forgot my password"),

than for someone that is already logged in (only option is "SMS").

I did not see the number "6" mentioned anywhere on the website, so thank you for that information.

I did think about / anticipated that possibility last night, and tried "Forgot my password" a number of times in order to cycle through

the maximum number of passwords the system may remember.

Unfortunately, the system told me that "I exceeded the number of changes in a 24 hour window" and I would have to wait

24 hours to perform the next password change.

I hope it's only 6 items the system remembers, otherwise I will spend many days & nights just trying to fix something that wasn't broken to begin with.

You probably do understand how very, very, very annoyed I am at this point in time.

Userlevel 1

You are not alone. To me, this is also INFURIATING. I have been forced to change it at least 4 times in the past two years. And I am a 13 or 14 year customer. My passwords are VERY secure, I base them on a memorized algorithm - T-mobile is the ONLY place I can think of that forces this. Totally throws a wrench in my SECURE system. And very often - I can't stand it. I held out for the last one - calling to pay my bill and asking for the fee to be waived.

MAKE AN "OPT-OUT" T-MOBILE. This is NOT "standard industry practice"! It's simply annoying and LESS secure!

Userlevel 1

Assumed resolved eh? Well, I had to reset my password today just to pay my bill, again. I called your customer service and I promised that I would be switching to another carrier if nothing could be done. For all my other online transactions I have been given the OPTION to change my password, not forced. I guess you cellular Nazis play by different rules. You've lost a customer.

Userlevel 1

I log in to T-Mobile once a month and the frequency in which they make us change our password is OBNOXIOUS. OB. NOX. IOUS. We are your consumers! You are not our IT team nor our bosses! GTF outa here with this ish!!!! I echo thegtc, at least let us opt out! No one else on earth makes their consumers go through this. MY BANK doesn't make me do this. Honestly.

I've been with t-moble since it was Voicestream. thats.. 17 years since I got my first Nokia Brick for Christmas. I often wonder what the grass is like on the other side, but think, nah it's just a phone network, prices aren't THAT different. No but this.. THIS is how I probably end up elsewhere. lmao. smh.

Userlevel 1

I get it, but as someone who works in cybersecurity, please let those who made this call to force us to change our passwords, they should know it is not necessary. There is a new NIST standard SP 800-63B, changing passwords on a timed rotation does not increase password security.

These are top changes to password security guidelines

  • Passwords should be compared to dictionaries and commonly-used passwords
  • Eliminate or reduce complexity rules for passwords
  • All printable characters allowed, including spaces
  • Expiration of passwords no longer based on time password has been in use
  • Maximum length increased to 64 characters.

Digital Identity Guidelines

A good quick reference

Understanding the New NIST Guidelines for Password Security

It would be awesome if you adopted the newer security spec.

Thank you!

Userlevel 2

Just want to reiterate what's been said here.  You password changing policy is ridiculous.  We all know it has nothing to do with keep us safe.  It doesn't work.  In fact, my T-Mobile password is the least safe password as I have.  It is written on a post-it note stuck to my monitor.    That's because T-Mobile is the only site that makes me change it.  My bank and my credit cards don't even require such heavy security.  What I also don't understand it why I have to get a text every time I log in with a code to enter after I enter my password.  One of the two needs to change.  Your IT department has no clue what they are doing.  It's extremely irritating.  The first time I have to change my password after I'm done paying off my phone I'm looking for a new service.  I bet Verizan (who has much better service than you guys) doesn't force it's customer to go through this BS.

Userlevel 1

How to stop this f@%$ing password change? I'm going to quit to use you f#$%ing service!!! Really. That is enough!

Same ?, but I don't see any answer from t mobile except " put on hold" asked for PIN # then asked for old password, all very suspect and not user friendly?

You probably do understand how very, very, very annoyed I am at this point in time

I hate this, too. I have medical issues that make it very difficult for me to remember rarely used bits of information like passwords. I have been forced to change my password three times, without notice, when I am in a rush to make a payment. So then I forget my choice and have to go through the process of password recovery EVERY TIME, because writing down your passwords is not recommended. I am an adult without enemies, without hackers, without anyone who would want to mess with my tiny account of a single phone line. I find this disrespectful and arbitrary. It's a significant reason why I am moving to another carrier once my phone is paid off. The other reason is inadequate tower coverage in my area, and extremely unprofessional employees in their storefronts. T-Mobile spends too much time on flash and not enough on substance.

Just had to change my password for the second time.  I 100% agree.  So much so, that I'm leaving t-mobile because of it. 

The statement that these policies are for user security is false, but even if they were intended to benefit users they fail.

These kinds security processes are only put in place to reduce a company's liability. Certain types of systemic breaches are made less damaging with frequent password changes, but individual user's security is actually reduced. Many studies over decades show that forcing users to change passwords makes individual user's accounts less secure because users will write down their new passwords or forget them resulting in an elevated exposure to unauthorized access and detail of service vulnerabilities (dos attacks are often neglected when evaluating vulnerability). Further, new mechanisms must be put in place to handle user access issues related to frequent password changes that increase the attack surface.

I make it a personal policy to opt out of such incompetent "security features," and if it is not possible to opt out without switching services I switch services... so goodby t-mobile, best of luck.

Userlevel 1

No, this was the first time; I only worry that now that T-Mobile has started this practice, I will be required to change my password every six to twelve months - as is often the case when I.T. departments decide to start requiring this of their users.

They keep doing it -- I couldn't login and it kept taking me to Tuesday deals.  I even filed a complaint and they e-mailed and called me -- but didn't address my issue.  It's their convenience for us to change our password or use their app or do auto pay -- so you don't review your bill.  They are getting more and more like AT&T and Verizon.  Just going for the max.  They also have my info incorrect.  I have been with T-Mobile 10 years.

Userlevel 7
Badge +13

I just started a new job and I'm coming up to my 90 days and

I got a notice to change my password.

I too will consider moving to a different carrier after 20 plus years with T Mo because of this issue.

There is no justification to say that changing passwords increases security. I thought that T mobile was above such sillyness.


I really hate this - do away with it at once.

Yet again here is evidence that T-Mobile doesn’t really care to make policies that protect users and user experience. This is about liability and compromise on resources to build proper security measures. Why is there no proper 2FA? The password change is an annoyance for users, but tolerable for T-mobile so that in a class action courtroom they would be able to claim they had strict security measures. They make themselves less vulnerable in a courtroom by shifting that vulnerability to their users.

While having to reset my password in order to comment here was a little annoying, I love all the information you can get about TMobile users.

Count me also being forced to reset my ‘old’ pw just to like this comment! Security! Ha!

You can work around Tmo’s glaring issue by changing your pw 6 times, but it’ll take that many SMS and re-login and ~15min of hassle just to get your pw back, but at least it CAN be done.

This is so annoying i don't know what they're getting out of this, we can't choose our old password and we have to keep creating new passwords that we can't even remember. If they ask me to change the password one more time i promise i will cancel all my 10 lines and find a different provider. 

The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.


Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll also save you a trip to the store.

this doesnt protect anything and it is very annoying to have to do if im gonna have to keep doung this i will switch company just for this annoying garbage please change that i dont ever want to change my password and never been hacked if i want to keep my fkn password for over 10 years thats my fkn problem if someone gets my password then thats my problem what if i forced you to kiss my knuckle 

Userlevel 1

It’s funny because now TMobile is now the easiest account to hack. 

Post it notes with the new forced password (since they cannot be rotated) are everywhere. I see them on peoples computers at work, I see them in files on their phones, I see them at every home office and desk. 

Thank you TMobile for making hacking your customers easier!!! A little social engineering (for those interested, simply look through your friends photos of them at their desk GAURANTEED they have photos with their passwords for every company like TMobile that still forces a regular password resets! LOL)

While having to reset my password in order to comment here was a little annoying, I love all the information you can get about TMobile users. 

Long live horrible security teams!

I too am extremely disappointing that T-Mobile forces us to change our passwords. I have been with T-Mobile for over 15 years and I am on the verge of leaving them. They are not even on 5G yet. They make too many promises that they can't live up to. Any company that does not allow their customers to opt-out of something that is this annoying is the last straw. My $135 a month will be going to a different carrier shortly! Bye Bye & Good Riddance T-Mobile...