Breaking Contract By Forcing Password Change

[palswim]

I've just about had it with web sites that increase their password complexity requirements and force you to change your current password if it does not comply. I don't need an explanation as to why they do it; suffice it to say that I do not agree.

Websites that I use with whom I do not have a contract (i.e. anything for free) can do this, and I either can discontinue my use of the service or take it and change my password.

However, with contract (basically, agreements to pay for a service for a certain number of months, e.g., cell phone providers) services, some companies still try to do this. In my thinking, this essentially breaks the contract by fundamentally altering my service by requiring me to do something to which I never agreed.

Again, if the company doesn't force you to change your password, but enforces complexity requirements if you ever change/reset your password (Google does this), I do have to take it. I wish they didn't, but I can't do too much about that. I only believe I have a leg on which to stand where the company forces me to change the password by preventing me from doing anything on the site before changing the password.

What are your thoughts? Or, how much leverage do I have? (I expect a lot of IANAL responses, but that's quite all right. Maybe we'll even have some IAAL responses!)

 

[webdave]

It's their fault if there is a security breach with your data by you using a weak pw. They need to cover their bases.

 

[ElFenix]

It's their fault if there is a security breach with your data by you using a weak pw. They need to cover their bases.

yes but a lot of times what they enforce is not strong password, just one that's hard to remember.

how strong is a 6 character password regardless of special characters, numbers, and case?

 

[silverpig]

What I hate is when they say something like "your password has to be between 6-10 characters, and contain at least 1 upper case, 1 lower case, and 1 numerical character"

FU

I don't have a single password, rather an internal password algorithm that I use for every website. These kind of restrictions mess it up.

 

[Schfifty Five]

What I hate is when they say something like "your password has to be between 6-10 characters, and contain at least 1 upper case, 1 lower case, and 1 numerical character"

FU

I don't have a single password, rather an internal password algorithm that I use for every website. These kind of restrictions mess it up.

Don't forget "You cannot use your last 5,000,000 passwords".

F THAT S.

I have like 4-5 password combos I like to cycle through, but nowadays that doesn't work because I can't use the last 5M passwords.

 

[MotionMan]

Don't forget "You cannot use your last 5,000,000 passwords".

F THAT S.

I have like 4-5 password combos I like to cycle through, but nowadays that doesn't work because I can't use the last 5M passwords.

Yeah. This one bugs me, too. Especially when I don't want to change the password - I just need a reminder of which password I used for this site.

MotionMan

 

[Bignate603]

I knew one guy that was complaining about his work password. Apparently he couldn't use anything in his password that was a word. For example, if you tried xY1%34cAt5!aJ it would be rejected because it has "cat" in it. It got so frustrating that he ended up using a klingon dictionary to pick passwords.

 

[MotionMan]

I knew one guy that was complaining about his work password. Apparently he couldn't use anything in his password that was a word. For example, if you tried xY1%34cAt5!aJ it would be rejected because it has "cat" in it. It got so frustrating that he ended up using a klingon dictionary to pick passwords.

It was not that bad at my dad's work. However, he would have to change his password once a WEEK, it had to have at least one capital and 1 number and a password could not be repeated for a year.

He would hang the 49ers team picture on his wall and start from the first guy in the first row and work his way through the picture until the next years picture came out (i.e. "Montana16", "Rice80", etc.)

MotionMan

 

[Doppel]

How companies deal with passwords is very irritating, but if u think u will get out of a cell contract because the compan is forced u to change ur password, absolutely not. Good luck with that.

 

[Doppel]

It was not that bad at my dad's work. However, he would have to change his password once a WEEK, it had to have at least one capital and 1 number and a password could not be repeated for a year.

He would hang the 49ers team picture on his wall and start from the first guy in the first row and work his way through the picture until the next years picture came out (i.e. "Montana16", "Rice80", etc.)

MotionMan

Everyone I know forced,to change password at work simple adds another digit on the end, I.e. bob11, bob12, etc.

It took me forever to pick a password for USPS.com, whatever their requirements are are freaking retarded.

 

[MotionMan]

MotionMan

 

[FoBoT]

sounds like you are ready to go off the grid
enjoy

 

[HybridSquirrel]

I find using a phrase is the best way to remember a password....for example thatchickisfat....or with the guidelines at work 8tH4tch1ck15f47


new password guidelines are easy if you are fluent with leet speak

 

[FoBoT]

where i work, we recently changed our access protocol to certain key servers
our accounts are now 'normally' locked for servers in these key zones
each time we need access, you have to email either our manager for any access not pertaining to an approved change (under the change control system) or if it is for an approved change, we email the ops center directly referencing the approved change. then they email us back after our account is reset telling us to call them to get the new password. then we can logon, but the system then immediately requires us to change the password during the logon. once we change it again, then we can get onto the server to make the changes. access is automatically removed and our account again locked after the specified time, normally 2-8 hours is allowed

it is very nice how inefficient it is and how much extra time it takes us to do things now.

 

[ChopperDave]

I don't think this holds logic at all because you haven't said exactly how these password requirements break your contract.

Password requirements suck I agree so I just use lastpass. It kicks butt and I don't have to remember the email I used the username I used or the password I used because it just fills everything in.

 

[Atomic Playboy]

Encouraging complex passwords has the side effect of encouraging employees to write their passwords down on Post-it notes and paste them to their monitor/laptop, which completely defeats the purpose of having a password in the first place.

 

[vshah]

i do the internal algorithm thing as well.

 

[DaTT]

Encouraging complex passwords has the side effect of encouraging employees to write their passwords down on Post-it notes and paste them to their monitor/laptop, which completely defeats the purpose of having a password in the first place.

This. I don't see the point of ever having to change your password if it has never been compromised.

 

[pontifex]

i have like 6 different passwords at work and there's absolutely no reason for it.

also love all the stupid time wasting processes we have to follow because some people can't do their jobs properly.

 

[ultimatebob]

i have like 6 different passwords at work and there's absolutely no reason for it.

also love all the stupid time wasting processes we have to follow because some people can't do their jobs properly.

Yeah, and the rules seem to differ on all of them. Some systems require no password changes at all (EVER!), yet others require a 9 character password that needs numbers, and mixed case, AND a special character, AND need to be changed every 45 days.

The passwords for the latter systems are the ones that I have to write down to remember... and I doubt that I'm the only one.

 

[alent1234]

used to work for a government agency that did that. not only did the user name consist of a crazy combination of your initials, office,and department. but they would change the password twice a year and assign random ones to people. 8 characters, casing, special character, etc. lots of people would write it down. the james bond wannabe IT people thought they were cool

 

[SirStev0]

http://xkcd.com/936/

 

[midwestfisherman]

bitch, bitch, bitch....

 

[Aluvus]

This. I don't see the point of ever having to change your password if it has never been compromised.

If it has been compromised, both you and the service provider may not know that.

 

[palswim]

I don't think this holds logic at all because you haven't said exactly how these password requirements break your contract.

For me, these requirements prevent me from managing my account, or even updating my billing information to pay my bill.