Solved

Forced to reset my password


Why does T Mobile's website force you to reset your password every couple of months!?

When banking institutions who actually MANAGE YOUR MONEY leave you in peace, it's crazy for a phone company to force you to reset.

I know the generic IT response will be "it's for security reasons", but you shouldn't FORCE your customer to "be secure". It should be a warning where we get the OPTION to reset, not being forced to do so.

So I guess my question is, is there a way to opt out of this "security feature" or someone I can talk to that can disable that from my account? After a full year of this nonsense, I'm getting to the point where I'm willing to leave the company if I don't get a resolution soon.

icon

Best answer by snn555 4 January 2019, 19:41

View original

14 replies

Userlevel 6

Well other than for security reasons it's just good practice. With as many Wireless account as there are being hacked into with people's information being stolen and accounts being changed it's somewhat important to have an updated password as well as account verification PIN numbers.

nonetheless this is a standard industry practice and there is no way to opt out of it.

Userlevel 1

T-mobile is way behind the times on this.  It used to be best practice to change your password every few months to prevent someone from being able to repeatedly try to log in as you, with a new password guess each time.  Now, it's considered significantly more risky to force a password change frequently because it increases the risk that people will write the password down somewhere like a notepad near the keyboard or a stickynote in the wallet.  Unfortunately, T-Mobile's idea of security is to irritate enough customers that they leave for other providers, thus reducing their risk.

Userlevel 6

I cant agree with that at all but none the less that's just my opinion.

you could do like I do and get two-factor authentication so that once you login you have to get a text sent to your device that you enter in the code. There is extra security there. After all if they don't have your device they don't get the text message.

Userlevel 1

Allow me to point you to several sources over the last few years on why frequent password changes are bad:
Time to rethink mandatory password changes | Federal Trade Commission

From NIST - the United State National Institute for Standards and Technology.

Q-B5: Is password expiration no longer recommended?

A research paper from University of Maryland on why bits of entropy in a password matter more than rules like At least one uppercase letter, one lowercase letter, a number, and a symbol.
http://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdf

I think I'll believe the security experts over T-Mobile's security decisions.

Your opinion is wrong.

I've been complaining about this forced password reset for a couple of years.

Userlevel 1

Uh - sorry, no. This is not "standard industry practice". Of all the various accounts I have had elsewhere, this is the only place that FORCES it. Well, Yahoo forced it sometime back after a security breach... that's all I can think of. This is infuriating. I have VERY secure passwords built on a memorized algorithm and this is the only place that really screws it up. I have had to change it at least 4 times in the last couple of years. HATE IT. You need to have an OPT OUT.

No, this is not a best practice. If anything, it reduces security.

Your opinion is wrong.

 

I've been complaining about this forced password reset for a couple of years.

 

I AGREE THIS IS REDICULOUS.

 

we are forced to change password for "security"... yet I can pickup my boyfriends phone who I do NOT know the password for, call customer service, tell them I forget it and then get a text sent to HIS phone to change HIS password. No questions asked. 

 

 That means ANYONE can do that on ANY TMobile phone they find. 

 

 

Great security

 

Userlevel 1

From 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

 

We have known for a while now that password resets are ineffective and even less secure, especially since many users will write down the password, store it on their phone, or like I see at the office ALL the time, just put their password right on a post it note on their desktop, for co-workers, utility guys and janitors to enjoy. Not to mention the social media posts. I went through my friends pictures and about half of them had shots at their desk or with their laptop with at least a partially visible password. 

You are really making social engineering easier with this. 

Userlevel 1

Yet again here is evidence that T-Mobile doesn’t really care to make policies that protect users and user experience. This is about liability and compromise on resources to build proper security measures. Why is there no proper 2FA? The password change is an annoyance for users, but tolerable for T-mobile so that in a class action courtroom they would be able to claim they had strict security measures. 

From the National Institute of Standards & Technology’s Password Guidelines, literally guideline #2:

 

 

2. Eliminate Periodic Resets

Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.

It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

 

Userlevel 6
Badge +11

with the recent data breach im actually surprised people are still upset that they are being forced to change their PW.

Why are you surpirsed? Mandatory periodic password resets DECREASE security, per the National Institute of Standards and Technology.

Well other than for security reasons it's just good practice. With as many Wireless account as there are being hacked into with people's information being stolen and accounts being changed it's somewhat important to have an updated password as well as account verification PIN numbers.

 

nonetheless this is a standard industry practice and there is no way to opt out of it.

The correct forced password change interval is *never*.  This is a bad, bad policy and I can’t believe T-Mobile is sticking to its guns on this.  Changing a password that is not known to be compromised does NOT improve security, and on the contrary, only forces frustrated users to choose simpler, less secure passwords--or even worse, re-use them.

Reply