Forced to Change My Password...

keith...

      I was unable to login to My T-Mobile just now to pay my bill, unless I changed my password... It said my password was "getting old."

     

      I went ahead and did it (just adding +1 the the number already at the end of my password).  My question is: HOW OFTEN am I going to be forced to go through this stupid procedure?  I've been with T-Mobile now for 20 years, and I've never had problems until about a year ago (since updating the website last summer I consistently cannot login using any browser on my home PC, so I am forced to pay in-store or (recently) I've started paying with my phone's browser - something I hate doing because I can pay all my other bills from my more secure PC)... now, it looks like I'm going to have to start putting up with this 'periodically changing my password' nonsense!

     

      I am very methodical with my passwords, I like my passwords, I do not give out my passwords, and I have never had an account hacked or a password stolen.  The only thing this routine accomplishes is really annoying me as a customer, as I make a one-key variation to my current password every six months (or every year, or however often we'll be forced to do this).  And I know I can't be the only one who feels this way.  Every person I've ever talked to who has had to do this sort of thing for work or whatnot has expressed similar frustration over this procedure.  In fact, more often than not it simply causes users to forget their current password since they've been forced to change it so many times (this has happened to my wife several times for work).

     

      So please, is there a way to opt-out of having to reset my password on a regular basis?  All I want to do is PAY MY BILL every month without a lot of hassle (I've already acquiesced to using my phone's Firefox rather than my PC - can I just keep my password at least).

     

    - Keith -

      All replies

      • tmo_mike_c

        Re: Forced to Change My Password...

        The password change is meant to protect your account so I'm sorry it's annoying you. When you say you're having to change it on a "regular basis" how often are you having to do this exactly? After you change the password, then log right back in afterwards, is it prompting you to change it again? It's not something you'll have to change after each log in.

         

        Just a side note: We do have the T-Mobile app and it's a really convenient and easy way to pay the bill right from the phone without having to use the browser. It'll also save you a trip to the store.

        • magenta6133275

          Re: Forced to Change My Password...

          I never log on to my T-mobile account, unless there's a problem.

          Today was such a day.

          My daughter dropped her phone into the toilet by accident, so I wanted to order her a new SIM card.

          This was the sole reason I logged on.

          Needless to say, I was forced to change her password, at the worst possible of times.

          Luckily, I thought, I can answer security questions so I wouldn't have to acknowledge codes sent by SMS for further authentication.

          That said, when I wanted to change the password back to the proper one (I never wanted it to change in the first place),

          the only option I was left with was to authenticate myself via SMS.... presumably using the now broken phone.

          I tried my luck with the online chat, but that didn't lead anywhere.

          Afterwards I tried the "Forgot my password", and luckily and inconsistently enough, there I could authenticate via options beyond SMS again.

          But apparently T-Mobile remembers the old passwords and doesn't let its user change them back to their proper origin.

          Who on earth designs these pseudo-security systems? It's harassment, plain and simple.

          I can just imagine how this process works if someone is forced to change their password in the midst of a busy airport... all in the name of security!

            • magentatechie

              Re: Forced to Change My Password...

              Yikes! I can see how having to change the password in the middle of a bad episode could be very annoying!  I think all of the carriers are tightening up security due to the influx of scammers and phishers out there.

               

              T-Mobile also sent out notices advising users to update their Pin/passcode for 611 access, but the system will not allow a change unless it is a 6-digit number and cannot be the primary user's birthday, social, or any consecutive or easy to guess series of numbers.  While this change isn't necessarily required, the staff will ask you to update it nearly every time you call (an error pops up on their screen advising a change).

               

              Someone posted here that the website only remembers the last 6 passwords used and reported success with changing the password repeatedly until the site allowed his preferred password after that many attempts.  Will it actually work? I'm really not sure, your mileage may vary as T-Mobile may have found a way to eliminate the work-around.

                • magenta6133275

                  Re: Forced to Change My Password...

                  Please reconsider forcing your users to change their passwords,

                  This does not improve security, and only annoys your customers:

                   

                  Also, NIST updated their guidelines to drop these pseudo-security proposals.

                  • magenta6133275

                    Re: Forced to Change My Password...

                    magentatechie wrote:

                     

                    Someone posted here that the website only remembers the last 6 passwords used and reported success with changing the password repeatedly until the site allowed his preferred password after that many attempts. Will it actually work? I'm really not sure, your mileage may vary as T-Mobile may have found a way to eliminate the work-around.

                     

                    Please keep in mind that the "normal" password change mechanism no longer works for me (as mentioned in my original reply):

                    It requires the receipt of an SMS (text-message), that does not work, as the phone no longer works.

                     

                    Weirdly enough though, I can change my password by pretending to "Forgot my password" mechanism:

                    There I am offered more options to authenticate beyond SMS: Answering pre-selected questions and e-mail as well.

                     

                    The reason I find this weird is that the entry bar of authentication is lower for someone that does not know the password (more choices for "Forgot my password"),

                    than for someone that is already logged in (only option is "SMS").

                     

                    I did not see the number "6" mentioned anywhere on the website, so thank you for that information.

                     

                    I did think about / anticipated that possibility last night, and tried "Forgot my password" a number of times in order to cycle through

                    the maximum number of passwords the system may remember.

                    Unfortunately, the system told me that "I exceeded the number of changes in a 24 hour window" and I would have to wait

                    24 hours to perform the next password change.

                     

                    I hope it's only 6 items the system remembers, otherwise I will spend many days & nights just trying to fix something that wasn't broken to begin with.

                     

                    You probably do understand how very, very, very annoyed I am at this point in time.