WEDNESDAY WHINE: Mandatory Password Changes
Web security is good. It’s always nice to know that I can safely log in to a site and have my information easily accessible and yet still remain private. The method of security adopted by most sites is a simple username and password system, which, by remembering just two pieces of information, lets you pull up whatever private data you’re interested in retrieving. But not all sites are so simple, as a few require…
Mandatory Password Changes
I recently tried to log in to an account that I’ve had for over a year and suddenly my password no longer worked. It wasn’t that I had forgotten my password or that my password had been changed, it was that it was no longer valid. On purpose.
The company has a policy of invalidating passwords every so often as a “security” measure. It required me to select a new password that was not only different than my previous one, but also different than any of my previous five passwords (if I had that many). Instead of letting me into my account and simply recommending that I change it, it was forcing me to choose a new password immediately, otherwise I received no access.
While I completely understand that changing passwords every so often is a good idea, just in case someone managed to figure out your login information and you didn’t realize it. However, I let my Web browser save my usernames and passwords so I don’t have to remember them all, as I have many different ones and generally only access certain accounts from one or two particular computers. As such, I was unable to verify my existing password when it forced me to make a new one, as my browser didn’t know how to fill this form in. In other words, I had been shut out of my account as part of a scheduled “security” check. I found this to be incredibly annoying.
What if I had some urgent matter I had to attend to in my account and didn’t have time to deal with a password change? Shouldn’t I have some option of changing my password at my leisure? Or, better yet, shouldn’t it be my own responsibility to change it at all? If I want the same password for the rest of my life, shouldn’t that be my choice, not theirs? It’s like coming home one day and finding that all of the locks on my house were changed because I lost my key, but I can’t get the new key unless I unlock one of the old locks first. It’s a system that is flawed and I wish less sites required password changes at all. Recommend them to me, but don’t make me waste my time changing my password just because some company thinks it needs to be changed.
Tweet
My office does this as well, and it drives me crazy. It is difficult to come up with an entirely new alpha/numeric/symbol password every six months — not to mention then trying to remember it!
What’s funny about this (which drives me crazy too) is that when you have to change passwords so often, it’s most likely that you’re going to write them down in order to remember them. But that’s the LEAST secure thing you can do! So by requiring passwords to constantly be changed for security reasons, companies actually end up with customers who have LESS security.
I have to disagree with the home lock comparison you’ve made Ricky. Your home is just that: your home, so you control how and who has access to the data (i.e. stuff inside) the home. The website is not yours (even though the data inside might be yours) so they get to decide how people should access the site.
I had a job where I had to change my password every MONTH! Eight characters, at least one number. And that was just to log into the network, not including any number of other passwords for subsystems/programs that I had to change either every 3 or 6 months. Although my main password was so random, I used it every day, so I could generally remember it. The real problem came when I had a password I changed five months ago and haven’t used since, which seemed to have happened ALL THE TIME. It was very frustrating.
What I don’t understand is why whatever program you’re using can’t email you 2-3 days before the password expires, saying, “Hey, we’re going to expire this password in a few days. Do you want to change it now, while you have time?”
Funny that I read this just after receiving a call to reset someone’s password after I had just reset it for them l i t e r a l l y 3 minutes ago. Being in IT, I understand implementing password policies. Just keep a “system” for your passwords. Use the same one and change the number at the end every few months. Not the most secure but saves you some headaches.
As an IT computer tech, I’m getting a kick out of this post & these replies. :)
Password complexity requirements and expirations are a necessary evil in this day and age. It’s one of those unfortunate annoyances that we have to put up with to keep people from accessing our private information, in this age of identity theft. I’ll steal your “house lock” analogy (no pun intended), and say that it would be nice if we didn’t have to put locks on our doors, as it doesn’t seem that long ago that we didn’t have to do so. Since we don’t live in a perfect world, it’s one of those things that we just have to try to learn to live with. I would rather put up with password annoyances, then to have someone steal my personal information.
Good post Ricky!
I completely understand why password expirations exist… it would be nice if I were warned about them first, rather than just getting a message that says, “Sorry – You can’t access your account until you change your password! I don’t care if you have something urgent you need to get done right away. Stop everything you’re doing and change your password NOW. And if you can’t remember your old password, I’m going to make you reset it first, which may or may not work right away, delaying you even further.”
Too true Ricky, warnings are very helpful to the user, and websites that don’t use them are very annoying. Here at my company, we implemented a system where an email gets sent out to the user every 3 days beginning 15 days before his or her password expires, complete with warning that their password is about to expire, and simple instructions on how to change the password.
Love your site!