Forum Discussion
Solved
Changing password every 60 days is a terrible policy
I recently log into my.t-mobile site and have to change my password due to this new policy. This new policy is terrible due to multiple reasons. Anyone who is current on IT security should know that changing your new secured/selected password to something new randomly causes more trouble than its worth. User can't remember these new things every 60 days if you create a secure combination for your password.
I don't log in to t-mobile every day to see/change things. If you cannot secure my password in the first place, it's not our faults. Don't force us to change ours to cover your problem.
Hey, @timph! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be required once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.
@scott523, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.
Reset your T-Mobile ID password has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!
Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.
I am totally annoyed (and frustrated) at the way Tmobile handles their password resets. Although I understand the need to change passwords occasionally, it is ridiculous to have to change them every 60 days. To make matters worse, we are not given any notice or warning. I wanted to log in a pay my bill today and was not allowed to access my account without "changing" my password. But of course, it wasn't that simple. No, I had to have them send me a verification code first. That totally annoys me. So I had them send me an email. The email I received said "Forget your T‑Mobile ID password? We hate when that happens, but it's an easy fix. Just click the button below to create a new one:" Receiving a message like that when I forgot my password it great but in this instance it took me beyond annoyance to anger because I didn't forget my password. Nor did I want to change it. Rather, they FORCED me to change it. Most places (that don't wish to cause their customers total frustration) will at least allow you to log in with your credentials then take you to a password update page so they can change it right away rather than having to go through the whole verification process. Again, I do understand the reasoning and appreciate Tmobiles commitment to keeping our accounts safe but angering your customers by forcing them to jump through multiple hoops without any forewarning is not very nice. Why couldn't I be given a heads up? What about a warning letting me know that my password was about to expire or an option to delay changing it but letting me know that I would need to change it within x numbers of days or something. Instead, rather than being able to quickly log on to pay my bill I've had to spend several minutes dealing with this whole password mess. To add insult to injury, they apparently changed their password parameters so that the "special character" that I have been using is no longer allowed. Then (in my rush to get this over with) I accidentally hit the caps lock button, so my new password is in caps (I think), which I don't want. I tried to change it again (to non-caps) and the website wouldn't let me change my password again. So, it appears that we are not allowed to change our passwords when we want to but are forced to change it when they decide they want us to without any forewarning, at the most inconvenient time and in the most annoying way possible. Gee, thanks Tmobile. I couldn't even post anything to these discussion boards without first verifying my account. Why can't I log in with my current password and change it from there?
Hey, @timph! I heard back from our contact who owns the content around the password change process; and was advised firmly that as the system stands, password changes should only be required once a year -- though as best practice we recommend changing them more frequently. I know this conflicts with what you saw, so while I wish i could explain the difference, I'm sorry to say I'm not able to speak to that.
@scott523, in this case, that means that you were able to use the same password for longer than designed before the update prompt, which I believe is because this policy wasn't implemented when your account was initially started -- after reviewing revisions to our documents, it looks like the Prompted to change your password section was added at the beginning of this year.
Reset your T-Mobile ID password has been updated to call out the yearly password change requirement in the Prompted to change your password section, and I'm also adding the feedback that we include the password recycling rule in the requirements section as well -- hopefully that will be OK with our content folks!
Thank you again very much again for your feedback around this. I know that adding an extra step to your day by having to create a new password with some relatively stringent requirements compared to other sites isn't fun, but at least we can confirm that this shouldn't happen frequently. If it does; please let us know.Good call out -- you're right, recycling passwords isn't allowed. I think that perhaps having that item and the overall password requirements included in the content here on the Support site would help, along with any information we can find about age-out timelines for passwords. Thanks for bringing that up!
I think it’s been 18 months since I joined the TMO. I pretty much joined after the T-Mobile One plan arrived.
I can’t remember 100% if I saw the 60-day rule when being forced to change the password on the T-Mobile app on my iPhone X but that could be legitimate. I didn’t really think of looking for it since TMO have come under fire on account security this month. I guess I’ll find out in 50 days. I’ve also noticed the new password system doesn’t allow recycling old passwords, which is even annoying. I may have to come up with something like “Tmobile1*” then “Tmobile2*” in the future.
Thank you so much! 😊 I appreciate that. I am going to reach out and see what I can find out!
My account is Simple Choice North America Plan. It's thru Desktop.
Sorry, guys -- I promise I'm trying to help! I want to forward the feedback so I'm trying the best way I can figure out to determine where the gap is in communicating forced password changes. 😥 I was logged in already when I completed that PW change that I screenshot above -- I went to the Profile settings to change it. I think what you're saying is that once you log in, you see an alert from MyTMO that's telling you that you have to change your password, is that right?
@scott523 do you mind letting me know how long it had been since you joined before you were asked to change your password? Did you see an advisement about a 60 day requirement when you completed the PW change? I know that sometimes we may do forced password changes but the 60 day item is new to me and not outlined in any of our content, so if it seems like I'm sticking at that point, that's why. For security purposes we do ask that passwords be changed sometimes -- either because we've updated our security requirements, or perhaps because they're old -- and I hear that this is a nuisance. While we're not the folks who make this decision, we're happy to pass that feedback on. Where I see an opportunity for our team here is that if that's the case -- passwords need to be routinely changed due to age -- I do think it would help to let customers and our frontline know how old a password is allowed to get -- does that make sense?
@timph the PW screens I shot above are after being logged in already, when you elect to change your PW through the Profile settings on MyTMO.com. Since our screens are different -- can I make sure you are visiting via desktop/laptop? Or is this issue with the MyTMO app or visiting on mobile? MyTMO views also vary by account type -- do you mind letting me know what type of account you have?Marissa, I appreciate you trying to troubleshoot this issue but I think you’re going the wrong way on this matter.
The issue is when a user hasn’t changed their password in many months, the system forces the user to change their password upon logging in. So your screenshots are useless because it’ll only happen after logging in. You probably won’t get a screenshot from us unless someone didn’t change their password yet. Maybe IT should just make an account with an old password and try it for themselves...
This also happened to me (just a normal postpaid customer) and I must admit that I haven‘t changed my password since I joined T-Mobile. Forcing to change an old password at a government level may be reasonable but at a services/utilities level(?), it maybe a bit overkill and a nuisance like the other original poster is getting at.
No, it's not coming from inside your profile account AFTER you logged in. It asked me to change my pwd after the login screen. That pwd change screen is not one of the above.
Hmmm.... I walked through the password change process, and don't have any 60 day advisement (screenshots below)!
I wonder if this might be an extra layer of security based on account type? Do you have a postpaid or pay in advance plan? Are you a consumer or business customer? Thanks for any info you're comfortable sharing!
