Wednesday, March 2, 2016

#empoexpiire - Another example of how a 90 day password expiration policy discourages registrations

I haven't posted anything in my #empoexpiire series lately. Well, it's time to revisit the topic of 90 day password expiration.

You'll recall my June 15, 2015 post in which I returned to a service after several years, only to find out that if I reactivated the service, I'd have to change my password every 90 days.

I didn't reactivate the service. Too much hassle.

Some time last year, I also tried to re-access a separate service that listed government business opportunities. I ran into hassles and dropped the matter until now.

I knew my login name for the service, but could not recall the password. I tried a number of possible passwords, none of which worked. So I went to the service's reset password option, which would email me procedures to reset my password. I would receive that email within a few minutes.

I never received the email.

After some thought, I realized why I didn't receive the email. Over the last eight years, I have had four different work email addresses, and three of those addresses are no longer operational. (Note to those who are trying to email me at my old Motorola email address: I won't get your email.) It was extremely likely that the password email had been sent to one of those three email addresses.

So I went to the service's support website, which required me to set up a separate support account. (Did I mention that the first site listed government business opportunities?)

Once I had set up the support account, I contacted a person who was very helpful, and who confirmed that my account was linked to one of those three non-existent email addresses. The support person also noted that they were not authorized to modify email addresses on accounts, and that I would therefore have to set up a separate account with a new user name.

Frankly, I can understand this policy. After all, it is quite possible that I could have been an imposter, trying to gain access to John Bredehoft's account. An imposter could probably easily provide old email address information, along with a sob story about having no access to those email accounts any more. This could trick a support person into redirecting account emails to a fraudulent address.

So why haven't created a new account with a new user name for this particular service? Because of the sentence at the end of the support email.

Passwords must be changed every 90 days or your account will be disabled.

So if I set up the new account today, I'd have to change the password within 90 days anyway.

I might as well wait until I have to use the service on a regular basis before setting up the account.

P.S. You know that separate support account that I DID set up? Well, it has a 90 day password expiration policy also.
blog comments powered by Disqus