Forced to reset my password

One more bump for 'forcing password changes is sh!t policy'. My password was VERY SECURE and all I did was change one number - which I will change back soon. STOP FORCING PASSWORD CHANGES!!!

Agree this is super annoying/ infuriating. At the very least, there should be an opt out if you sign up for MFA. I avoid logging in at all costs because every time I do it's a password, at least two codes texted to me to type in somewhere, and the whole password change process. 

snn555 wrote:

Well other than for security reasons it's just good practice. With as many Wireless account as there are being hacked into with people's information being stolen and accounts being changed it's somewhat important to have an updated password as well as account verification PIN numbers.

 

nonetheless this is a standard industry practice and there is no way to opt out of it.

The correct forced password change interval is *never*.  This is a bad, bad policy and I can't believe T-Mobile is sticking to its guns on this.  Changing a password that is not known to be compromised does NOT improve security, and on the contrary, only forces frustrated users to choose simpler, less secure passwords--or even worse, re-use them.

Why are you surpirsed? Mandatory periodic password resets DECREASE security, per the National Institute of Standards and Technology.

with the recent data breach im actually surprised people are still upset that they are being forced to change their PW.

From the National Institute of Standards & Technology’s Password Guidelines, literally guideline #2:

2. Eliminate Periodic Resets

Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user's password will soon be locked out. However, frequent password changes can actually make security worse.

It's difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

Yet again here is evidence that T-Mobile doesn't really care to make policies that protect users and user experience. This is about liability and compromise on resources to build proper security measures. Why is there no proper 2FA? The password change is an annoyance for users, but tolerable for T-mobile so that in a class action courtroom they would be able to claim they had strict security measures. 

From 2016: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

We have known for a while now that password resets are ineffective and even less secure, especially since many users will write down the password, store it on their phone, or like I see at the office ALL the time, just put their password right on a post it note on their desktop, for co-workers, utility guys and janitors to enjoy. Not to mention the social media posts. I went through my friends pictures and about half of them had shots at their desk or with their laptop with at least a partially visible password. 

You are really making social engineering easier with this. 

magenta9097235 wrote:

Your opinion is wrong.

 

I've been complaining about this forced password reset for a couple of years.

I AGREE THIS IS REDICULOUS.

we are forced to change password for "security"... yet I can pickup my boyfriends phone who I do NOT know the password for, call customer service, tell them I forget it and then get a text sent to HIS phone to change HIS password. Sin dar explicaciones. 

 That means ANYONE can do that on ANY TMobile phone they find. 

Great security

No, this is not a best practice. If anything, it reduces security.