Forum Discussion
Forced to reset my password
Why does T Mobile's website force you to reset your password every couple of months!?
When banking institutions who actually MANAGE YOUR MONEY leave you in peace, it's crazy for a phone company to force you to reset.
I know the generic IT response will be "it's for security reasons", but you shouldn't FORCE your customer to "be secure". It should be a warning where we get the OPTION to reset, not being forced to do so.
So I guess my question is, is there a way to opt out of this "security feature" or someone I can talk to that can disable that from my account? After a full year of this nonsense, I'm getting to the point where I'm willing to leave the company if I don't get a resolution soon.
Well other than for security reasons it's just good practice. With as many Wireless account as there are being hacked into with people's information being stolen and accounts being changed it's somewhat important to have an updated password as well as account verification PIN numbers.
nonetheless this is a standard industry practice and there is no way to opt out of it.
- torquedNewbie Caller
Allow me to point you to several sources over the last few years on why frequent password changes are bad:
Time to rethink mandatory password changes | Comisión Federal de ComercioFrom NIST - the United State National Institute for Standards and Technology.
Q-B5: Is password expiration no longer recommended?
A research paper from University of Maryland on why bits of entropy in a password matter more than rules like At least one uppercase letter, one lowercase letter, a number, and a symbol.
http://www.cs.umd.edu/~jkatz/security/downloads/passwords_revealed-weir.pdfI think I'll believe the security experts over T-Mobile's security decisions.
- torquedNewbie Caller
T-mobile is way behind the times on this. It used to be best practice to change your password every few months to prevent someone from being able to repeatedly try to log in as you, with a new password guess each time. Now, it's considered significantly more risky to force a password change frequently because it increases the risk that people will write the password down somewhere like a notepad near the keyboard or a stickynote in the wallet. Unfortunately, T-Mobile's idea of security is to irritate enough customers that they leave for other providers, thus reducing their risk.
- thegtcNewbie Caller
Uh - sorry, no. This is not "standard industry practice". Of all the various accounts I have had elsewhere, this is the only place that FORCES it. Well, Yahoo forced it sometime back after a security breach... that's all I can think of. This is infuriating. I have VERY secure passwords built on a memorized algorithm and this is the only place that really screws it up. I have had to change it at least 4 times in the last couple of years. HATE IT. You need to have an OPT OUT.
- magenta9717154Newbie Caller
No, this is not a best practice. If anything, it reduces security.
- SagelmoonRoaming Rookie
magenta9097235 wrote:
Your opinion is wrong.
I've been complaining about this forced password reset for a couple of years.
I AGREE THIS IS REDICULOUS.
we are forced to change password for "security"... yet I can pickup my boyfriends phone who I do NOT know the password for, call customer service, tell them I forget it and then get a text sent to HIS phone to change HIS password. Sin dar explicaciones.
That means ANYONE can do that on ANY TMobile phone they find.
Great security
- magenta9097235Newbie Caller
Your opinion is wrong.
I've been complaining about this forced password reset for a couple of years.
- ExecuServicesNewbie Caller
From 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
We have known for a while now that password resets are ineffective and even less secure, especially since many users will write down the password, store it on their phone, or like I see at the office ALL the time, just put their password right on a post it note on their desktop, for co-workers, utility guys and janitors to enjoy. Not to mention the social media posts. I went through my friends pictures and about half of them had shots at their desk or with their laptop with at least a partially visible password.
You are really making social engineering easier with this.
- brendonwbrownNewbie Caller
Yet again here is evidence that T-Mobile doesn't really care to make policies that protect users and user experience. This is about liability and compromise on resources to build proper security measures. Why is there no proper 2FA? The password change is an annoyance for users, but tolerable for T-mobile so that in a class action courtroom they would be able to claim they had strict security measures.
- fsudolphinNewbie Caller
From the National Institute of Standards & Technology’s Password Guidelines, literally guideline #2:
2. Eliminate Periodic Resets
Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user's password will soon be locked out. However, frequent password changes can actually make security worse.
It's difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).
So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.
- snn555Bandwidth Buff
Well other than for security reasons it's just good practice. With as many Wireless account as there are being hacked into with people's information being stolen and accounts being changed it's somewhat important to have an updated password as well as account verification PIN numbers.
nonetheless this is a standard industry practice and there is no way to opt out of it.
Contenido relacionado
- Hace 6 años
- Hace 4 años
- Hace 4 meses