Forum Discussion
Changing password every 60 days is a terrible policy
I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know t...
¡Hola, @timph! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be obligatorio once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.
@scott523, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.
Restablece la contraseña de tu ID de T-Mobile has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!
Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.
@tmo_marissa something with your process is broken then, because I'm being prompted to change my password every few months as well. I work in IT, and I frequently see people saying that "this debería happen” - but there’s a huge difference between debería y hace (something that is regularly seen where I work). So maybe your contact says that passwords debería only have to be reset once a year, but what’s actually happening is different, and it's wayyy less than a year. And it seems that in the two years that T-Mobile has known about this break in your process, nothing has been done to address it.
That said, I don't think you should require your users to change their passwords period, unless you have reason to believe that their account was compromised. Employees, sure, but your customers are not your employees. I, for one, don't need anyone holding my hand to manage my passwords. I know how to keep my accounts secure, and your policy requiring password changes every few months doesn't keep my account more secure, it's just a pain in my ass.
