Changing password every 60 days is a terrible policy

I'm so sick of changing password every 2 months. I am ready to change providers. This is very frustrating.

tmo_marissa wrote:

¡Hola, @timph​! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be obligatorio once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.

 

 @scott523​, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.

Restablece la contraseña de tu ID de T-Mobile has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!

Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.

The correct forced password change interval is *never*.  This is a bad, bad policy and I can't believe T-Mobile is sticking to its guns on this.  Changing a password that is not known to be compromised does NOT improve security, and on the contrary, only forces frustrated users to choose simpler, less secure passwords--or even worse, re-use them.

Hey, folks. Thanks for taking the time to share your feedback here.

@timph​ -- can you tell me a little more about what you're seeing? Does the system tell you that your password is more than 60 days old and needs to be updated? I wasn't able to find a call-out about a 60 day expiration and if that's happening, we're happy to forward your concerns and would like to get it added to our documentation in the interim -- but right now I don't see anything internally or externally calling out that requirement. Personally, I have been using the same MyTMO password for at least six months! 😕

@captcoolhand​ -- thanks for bringing this up. I know that you can change your PIN/Passcode via MyTMO as well -- Configurar tu PIN/código de acceso de cliente -- but I can see your point about the one-time PIN that someone might verify if they picked up your phone and also knew your name. I'll pass that feedback along as well, thank you.

Hmmm.... I walked through the password change process, and don't have any 60 day advisement (screenshots below)!
I wonder if this might be an extra layer of security based on account type? Do you have a postpaid or pay in advance plan? Are you a consumer or business customer? Thanks for any info you're comfortable sharing!

Sorry, guys -- I promise I'm trying to help! I want to forward the feedback so I'm trying the best way I can figure out to determine where the gap is in communicating forced password changes. 😥 I was logged in already when I completed that PW change that I screenshot above -- I went to the Profile settings to change it. I think what you're saying is that once you log in, you see an alert from MyTMO that's telling you that you tener to change your password, is that right?

@scott523​ do you mind letting me know how long it had been since you joined before you were asked to change your password? Did you see an advisement about a 60 day requirement when you completed the PW change? I know that sometimes we may do forced password changes but the 60 day item is new to me and not outlined in any of our content, so if it seems like I'm sticking at that point, that's why. For security purposes we do ask that passwords be changed sometimes -- either because we've updated our security requirements, or perhaps because they're old -- and I hear that this is a nuisance. While we're not the folks who make this decision, we're happy to pass that feedback on. Where I see an opportunity for our team here is that if that's the case -- passwords need to be routinely changed due to age -- I do think it would help to let customers and our frontline know how old a password is allowed to get -- does that make sense?

@timph​ the PW screens I shot above are after being logged in already, when you elect to change your PW through the Profile settings on MyTMO.com. Since our screens are different -- can I make sure you are visiting via desktop/laptop? Or is this issue with the MyTMO app or visiting on mobile? MyTMO views also vary by account type -- do you mind letting me know what type of account you have?

My account is Simple Choice North America Plan. It's thru Desktop.

Thank you so much! 😊 I appreciate that. I am going to reach out and see what I can find out!

Good call out -- you're right, recycling passwords isn't allowed. I think that perhaps having that item and the overall password requirements included in the content here on the Support site would help, along with any information we can find about age-out timelines for passwords. Thanks for bringing that up!

I understand what y'all are saying, but the original post was in regards to a POLICY which requires frequent password changes.  If you are trying to log in and are prompted to change your password more than once per year, this warrants a trouble ticket to be filed with engineering.