'IT's locked me out!' Dealing with mandated password change

A reader who wishes to remain anonymous has a bone to pick with corporate IT. He writes:

My company forces us to change our email password every three months. I suppose this makes us more secure but it's really inconvenient for me because sometimes I forget to change the password on one of my devices, that device tries to get my work email, the company's system locks me out when it receives too many instances of the wrong password, and then I have to reset my password and start all over again. Can you recommend a technique that will prevent this from happening?

Depending on how open your IT department is to new ideas, you might forward them a copy of Microsoft's So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. It and other security studies suggest that the "best practice" of changing passwords every couple of months has outlived its usefulness. Not only are attacks more varied and swift than when these policies were put in place, but it often causes users the kind of frustration that leads to greater security lapses (taping their new password to the monitor or simply creating a single-character variation from the old password, for example).

Despite your best efforts, however, your IT department may be perfectly content to leave things exactly as they are. (After all, they may know a few things that you don't.) And that means that the onus is on you to dull the pain as much as possible. As I've been through this kind of thing before, here's what I do.

I begin by throwing every iOS device I own into Airplane Mode (which you can do by swiping up on the bottom of the screen and tapping on the Airplane Mode button). On all but one computer I sever the Internet connection--Wi-Fi or Ethernet. I do this so that a second device doesn't attempt to log into the corporate email account with a password I haven't yet had a chance to change. I'm now left with one device that can communicate with the outside world.

With that one device I log into my corporate account and traipse through the steps necessary to change my email password. With that done, I fire up my email client and make sure that I can send and receive email through the account with the now-updated password. If it works, I know it's okay to proceed.

Without reestablishing an Internet connection on the other devices, I update the password on each one. For iOS devices you can do this in the Mail, Contacts, Calendars setting and on a Mac that uses Apple's Mail, make the change in the Internet Accounts system preference. When doing so without an active Internet connection you'll likely be told that the setting can't be confirmed. Be insistent and click or tap Done again and the setting will be saved.

If you use an email client that doesn't get its settings from the Internet Accounts preference be sure to enter the new password in that app's Accounts area before proceeding.

Once a device holds the new password you can then reconnect to the Internet. If you've done this correctly and with every device that uses that password, you should be able to send and receive email without fear of being locked out.

Tags MicrosoftAccess control and authentication

Show Comments