'IT's locked me out!' Dealing with mandated password change

A reader who wishes to remain anonymous has a bone to pick with corporate IT. He writes:

My company forces us to change our email password every three months. I suppose this makes us more secure but it's really inconvenient for me because sometimes I forget to change the password on one of my devices, that device tries to get my work email, the company's system locks me out when it receives too many instances of the wrong password, and then I have to reset my password and start all over again. Can you recommend a technique that will prevent this from happening?

Depending on how open your IT department is to new ideas, you might forward them a copy of Microsoft's So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. It and other security studies suggest that the "best practice" of changing passwords every couple of months has outlived its usefulness. Not only are attacks more varied and swift than when these policies were put in place, but it often causes users the kind of frustration that leads to greater security lapses (taping their new password to the monitor or simply creating a single-character variation from the old password, for example).

Despite your best efforts, however, your IT department may be perfectly content to leave things exactly as they are. (After all, they may know a few things that you don't.) And that means that the onus is on you to dull the pain as much as possible. As I've been through this kind of thing before, here's what I do.

I begin by throwing every iOS device I own into Airplane Mode (which you can do by swiping up on the bottom of the screen and tapping on the Airplane Mode button). On all but one computer I sever the Internet connection--Wi-Fi or Ethernet. I do this so that a second device doesn't attempt to log into the corporate email account with a password I haven't yet had a chance to change. I'm now left with one device that can communicate with the outside world.

With that one device I log into my corporate account and traipse through the steps necessary to change my email password. With that done, I fire up my email client and make sure that I can send and receive email through the account with the now-updated password. If it works, I know it's okay to proceed.

Without reestablishing an Internet connection on the other devices, I update the password on each one. For iOS devices you can do this in the Mail, Contacts, Calendars setting and on a Mac that uses Apple's Mail, make the change in the Internet Accounts system preference. When doing so without an active Internet connection you'll likely be told that the setting can't be confirmed. Be insistent and click or tap Done again and the setting will be saved.

If you use an email client that doesn't get its settings from the Internet Accounts preference be sure to enter the new password in that app's Accounts area before proceeding.

Once a device holds the new password you can then reconnect to the Internet. If you've done this correctly and with every device that uses that password, you should be able to send and receive email without fear of being locked out.

Join the CSO newsletter!

Error: Please check your email address.

Tags MicrosoftsecurityAccess control and authentication

More about AppleMicrosoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Christopher Breen

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place