May 262010
 

This is a point of some mild irritation for me. First, I’ll explain what is installed on your computer, and their password requirements.

When you use the MSOL service, you install their Sign In tool. This tool’s purpose is to manage the various applications you have available to you as part of their BPOS suite, and to log you in automatically. It’s very similar to something like the Google Talk client when you remove the “Talk” part of the client’s function. It logs you in, and provides updates to your online service.

Next, is their password requirements:

– At least 7 characters.  [No arguments here.]

– A combination of Upper and Lower case letters. [yay!]

– At least one number or symbol. [Perfect. More secure than my bank which actually disallows symbols]

– Cannot change your password more than once in 24 hours. [Eh?  I know this is to defeat people who change their passwords multiple times to get back around to their original password. But read the next bullet…]

– Cannot re-use your previous 25 passwords. [TWENTY FIVE??? With the previous bullet item in effect, this rule effectively just tracks your ability to track your progress through 25 combinations of Password01 through Password25. This adds nothing but trouble for IT who has to explain why their email password is impossible to remember. My prediction: Everyone in the company has a Post-It note stuck to their monitor with a number between 1 and 25 written on it… If we’re lucky.  In reality, it’ll probably be the whole password.

I thought I’d take some time and add a few more helpful rules.

– You may not use any letter or number that you used in your previous eleven password changes.
– Submit your identity for a background check and home inspection so we can be sure you’re not using a family member/pet name or birthday.
– Hold the laser in your mouse up to your eye for a retina scan

Ok, I’m feeling a little better. Moving on to a new complaint. We all know how users can be about changing their passwords.  They wait until the very last day, often only changing it when Windows refuses to let them log into their computers without doing so.  (I certainly do this with my domain login.) With the Sign In tool, you receive daily notification at about two weeks out that your password is expiring. No problem there. My problem lies in what happens when your passwords DO expire.

  1. Your email just stops sending/receiving.
  2. The icon in your system tray that reports that you are signed in still says you are signed in, and never provides a popup letting you know your password has expired.
  3. Outlook throws the following helpful box up at you:

Ah, good old RED001.local.  Users know what to do with that, don’t they?  Don’t get me wrong here, users had to ignore 10-20 notifications that this day was coming in order to get here, but that is what users do. Software needs to be tolerant of this. I have a request in with Microsoft to improve how their tool works and I’ll update this when I get their response.

Reddit<-- Share/Bookmark

  One Response to “Microsoft Online’s Password Change Policy”

  1. […] it’s been ten months since my last post on this topic.  I believe if my site was The Consumerist, their response would fall into the […]

Sorry, the comment form is closed at this time.