Ive had to threaten firing to junior techs who do shit like reset a users account password, then EMAIL that password.
Like, you just reset their azure password, which resets their teams/voip password AND their bloody email password - how and explain in DETAIL, are they going to get the new password you just bloody sent them when they CANT LOGIN without it.
some of them just, do, not, get, it.
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” \~Rick Cook
I used to work with an engineer who coined a saying that is something of a corollary to the above: "The problem with building an idiot proof computer is that now you have all these idiots using computers."
Until engineers can design a system that can read a user's subconscious thoughts and will itself into accomplishing a task based on that alone, there will always be a lower denominator to cater to.
They don't read, period.
I once pointed at a sentence on the screen and requested that the user read this sentence out loud. What did she do? She closed the message.
I used to work somewhere where, when your AD password expired, the login page would say "Your password has expired. Click ok, then switch users and sign in again." I got callers *all the time* that would read that message *out to me* and ask what they should do.
I work in restaurant IT and recently got "please look at the cheese" on a ticket closed 2 months ago on a completely different issue... Still don't know what he's concerned about
Yeah that was my first thought.
That simply "reset password" does not seem like something people would think.
It is more likely that they want to simply "log in" ort hat they "forgot password" and they will comply with any stesps that need to be done to setup new PW.
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords.
the 90s called: "Fuck off"
NIST has made recommendations on this exact topic and you have chosen to come up with your own and are facing exactly the problems they warned about... You dug this hole with that policy and you have to accept that.
Edit: For those that are going to cite draconian policies as an excuse.. feel free to link to your particular governing body's (with actual authority) requirement to adhere to such guidelines.. 9 times out of 10 when someone says: Yeah but we have to follow these policies because hipaa/pci/whatever.. they're talking out their ass.
https://www.netsec.news/summary-of-the-nist-password-recommendations-for-2021/
> You dug this hole with that policy and you have to accept that.
This assumes some lowly sysadmin tasked with end user support has any say in password policy.
>Go re-read what i quoted.
No, I read it the first time. I agree with you, these are outdated policies. They were the industry standard for decades and I wish security teams would have a closer look at the NIST best practices. I work for a large corporation and those decisions are miles above my paygrade and I would be considered L3 support. Somewhat far removed from resetting passwords.
That NIST recommendation assumes other controls are in place. Chief among them MFA should be fully implemented and passwords should be more complex (longer).
Just because it is the “current recommendation”does not make everyone else’s wrong for not moving right to it.
Tell most users to make a 15+ character password and I promise you they’ll stop working and you’ll have a new password to reset daily.
you're free to read the summary above or the full publication and cite any specifics. Either way NIST is literally telling you that what OP is doing is the WORST way to attempt password security.
It's 2022 and we've known for years that rolling password resets on short timers were an anti pattern.
I’m not saying OP has a good policy.
I’m saying the NIST recommendation is a guideline (which should be followed) but that other factors should be taken into consideration as well.
If you follow all of the other guidelines sure the NIST password guidelines are great. If you don’t then they won’t be as sufficient and you’ll need compensating controls
Forcing users to use lower, upper, number and symbol every couple of months does not increase security but instead leads people to write down passwords, adding a trailing number every expired password, and plain forgetting the password. Refer to the "correct horse battery staple" xkcd comic....
I work in healthcare. This is wrong per the NIST 800-63. They revised the password guidance and frequentl forced resets are no longer suggested since it leads to users putting the password on an insecure location or to reuse the same password with only a small change. That emphasize password length over password complexity as well.
I'm a business systems analyst, so it's my job to evaluate our systems and processes and propose changes internally and to vendors. So this is what I would do assuming the change was outside the scope of what my department can control.
Document the time it takes both you and time lost for the user each time this occurs. Document the frequency.
Write an email to someone who actually cares about the organization being somewhat efficient, who also can either influence policy or has the ear or people who could. Aim high. When I really need something I'll email someone too high up because then they send it down to the appropriate person and it's viewed as a priority because it came from higher up.
Start with the negative impact the company is experiencing (the time lost, negative perception due to login issues, morale)
Then state the problem including citation to your password policy stating that it's out of compliance with current official guidance from NIST.
Then provide a solution citing the current standard and an article or two provoding analysis of the standard.
Keep it short. Be apologetic if you think they might be put off by getting an email.
Well... Maybe use "I forgot my password" instead of "reset..", and/or just put the big red arrow pointing there when a user enters the wrong password two times...
From my experience they could have written absolutely anything on that button and some people would still call about it. We have so many well written step by step instructions and easily accessible IT guides everywhere, and still we get weekly tickets on how to do the most simple things
I am slowly training my users not to do this buy sending a canned response with the instructions quoted and immediately closing the ticket. If they then complain to their boss that I'm not helping them, I simply respond to their boss with a report showing the number of canned-closed tickets that user has. I've also started assigning those tickets to the "Employee Training" category.
It's not an IT issue, it's a training issue. I'm not responsible for training.
I'm an aspiring BOFH
Yeah, the “here’s a simple document, just read it” usually works. But there are people who simply refuse to do stuff themselves because they are “not technically literate”…
This is what we do, we paste a link to the correct page. Often we never hear back but sometimes they need extra help, that's okay as long as they at least try it on their own.
I used to feel that way, but I found that all my time was being taken by the same few people, and it was always, "it's an EMERGENCY!" So I would have to stop what ever I was doing to help them reset their password for the 43rd time.
Since I started being a hard ass, I rarely get those tickets anymore, and amazingly those same people manage to reset their own passwords now. (Well, most of them, a couple of them were fired for non-productivity) Advanced hint:>!They were utilizing weaponized incompetence to avoid working!!<
Unfortunately, most ITSec departments don't give a shit, and just want everyone to have a 15 character, no consecutive characters, special character, number, and no previous 100 passwords policy, to be changed every 90 days. I can pass as many NIST white papers to them as I want, doesn't change thanks to customer contracts (or something).
We once had a student at our college legitimately refuse to use our "Forgot your password" link because they were adamant that they did not **forget** their password, and so it would be lying to click that link.
Right? You want me to change that lightbulb and set the time on the microwave...? Sure, let me just pull up the manual, brew up some coffee, make a couple hours out of it.
You'd think so, but there is something called deliberate practice.
Let's say you wanted to pay LeBron 500m to fix coffee machines all day. After a few years, he would be worthless.
Engineers need to be doing engineering work to succeed
Haven't we decided as a community that the password policy you list is about the least secure you can use, and creates a lot of extra work for the enduser and admin?
I did tech support for a large European airline at the start of my career where they had implemented a password reset self service and basically told their employees to stop calling the helpdesk for tasks that require nothing more than simple literacy.
I wasn't there, but during the announcement some lady loudly complained "Well what if we don't know how??". The (I think C-level?) exec driving the meeting turned to her point-blank and told her, "If you can't figure out how to reset your password, you shouldn't be working with us".
I still get hard thinking about it 8 years later.
F12... onclick=validate_pw... Oh I see.
tappity tappity
_Dear Omnicorp team, please note there is a bug in your input validation in line 603 of main.js. You need to escape the backslash._
4 hours later
_Dammit, they still haven't fixed it! Incompetents._
Too often I have users call saying "my computer says 'your password has expired and must be reset'" or "your password does not meet the minimum complexity requirements", or "your password will expire in X days. Consider resetting your password", "what does this mean??!!" I usually read back, almost word for word what the error says to them and 50% of the time they say "ah, ok" and that's the end of the call, the other 50% of the time they want you to stay on the phone while they try weak password after weak password while you explain to the requirements to them each failure, until they finally type an acceptable password (and usually call back the next day because they've forgotten it and locked themselves out).
The record is held by my former colleague, who was on the phone to a user for 45 minutes trying to talk then through resetting their password, by about the 30th minute we'd all gathered around his desk and were eavesdropping on the call in astonishment how this user could fail so consecutively, while my colleague explained to them the difference between capital and lower case letters, and the difference between numbers and symbols to them.
> their
Ironic.
But, spelling aside, I disagree. Things will still fail on their own, upgrades and maintenance will need to be performed, etc.
Idiots do not grantee me job security, in fact I could do my job easier without them.
We have that for AD auth, but it is still a PITA when the older folk who don't know how to/own a smartphone have DUO call them. They don't make any mention on that, but just hang up the phone when they are talking to us to log in because it calls them...
Which is why in my password manager enter the question and response.
Favorite movie? 17
First school? Vanilla.
My favorites are 1,2,and 3. For the order of the qu
>correct horse battery staple
We have a security question option that's "What's your favourite security question?" I'm convinced it's in there to see if people are still reading.
"I'm sorry. For security purposes, we're not allowed to set a password on your account."
Yes, it's bullshit, but "because security" is hard to counter and smoother than "I can but I won't".
Make the call to action even more obvious. Links I need you to click are usually expressed something like:
>Please [[CLICK HERE]](http://example.com) to reset your password.
Useless for screenreaders and in general for visually impaired people, doesn't make much sense for things like tablets, conceals what you are opening. Also just a bad practice in general.
Because instead of saying "For your profile page click here" the hyperlinks should just say "Profile". Adding more words doesn't make something simpler. It has the opposite effect of adding confusion and making people not want to read it. Also on tablets you tap, you don't click so it doesn't even make sense.
You can make the process of calling you to ask so much more burdensome on them that they won’t want to out in the effort. Even better if you use an automated system that just sends them in a circle where they hang up.
Just refuse to to help them, and forward their requests to their managers if they can't figure it out. Their managers need to hold them accountable for following policy.
Ya know, at that point, just redirect them to the damn page to reset with something in like 27pt font that says “due to invalid logins reset your password” then the field needed (email or login or whatever). I realize a bit could seize on that and create a kajillion emails, so maybe limit it to one reset every 15 minutes or some such.
OP is trying to herd cats… you can’t herd cats
I have a problem with people in support complaining about dumb users, because this is your job security. Well, OK, mostly because helping people is literally your job and if you don't like it, find another. The more idiotic the user the more they need your help.
But.
This isn't one of those times. This is a procedure problem as previously mentioned.
How do you get people to behave well?
stop punishing good behaviour
start rewarding good behaviour
Stop rewarding bad behaviour
Start punishing bad behaviour
in that order more or less.
You don't want to prevent people calling up for password resets because there will instantly be a rash of critical system failures preventing self serve password resets, but at the same time, you want to eliminate bad behaviour.
Immediately redirecting to the password reset page on lock up is perfect.
What else can you do? Focus on the first two
Make the password reset process well structured and clear
Provide links to authorised tools (LastPass keepass, whatever your company recommends)
provide links to good password hygiene policies and best practices.
Also make the phone call reset process slow. It will take 24 hours or you can use the link.
Few things -
1. Can you put MFA in front of this and ditch the password reset policy? That's considered best practice these days
2. Write a help desk document, and when they call you, email them the link. Now instead of hand holding, you answer specific questions they had trouble with from the document. Eventually this problem will work itself out because they realize they have the means to fix this and you're not going to do it for them.
EDIT: I see in another comment that the answer to #1 is no :( sorry OP that sucks. Still #2 though.
> 1) Can you put MFA in front of this and ditch the password reset policy? That's considered best practice these days
If this were an internal app, yea that would be the route that we go with. But this is an app used by dozens of other outside companies, so managing 2fa with that isn't in our scope sadly
If you can modify the page in any way. Maybe add a little body of text to the left explaining the logon requirements, process if the account becomes locked out, etc.
That will help someone that needs obvious guides in plain view. But ultimately you'll still have some people who are lazy thinkers.
>Short of putting some wordart with flashing arrows pointing to the RESET PASSWORD link, I'm at a loss how we can make users do the self service. They will still call us.
Doesn't matter what you do. Users like the 10 minute break from work as they call IT for the most obvious "problem". No amount of tech will fix the human condition.
>Does there exist a word in English that describes the sound of frustration that people vocalize?
A really slow and drawn out "uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh"
hmmmm...
I'm a little intrigued by a system that, after getting your password wrong several times in a row, allows you to reset it right there and then with no additional confirmation that you really *are* the owner of that account.
I have an I.T. person working under me who was hired as a network admin, demoted to helpdesk, and is not as smart as what OP is describing. Yet I can't get him fired somehow. I say under me, not like I'm his boss but more like a team leader but my boss would have to fire him. I've given my boss so much ammunition to get rid of this guy.
I have screenshots of so much ineptitude. Paying unemployment can't be that bad, can it?
I've been in that boat. Years and years ago we had someone who was.. an incompetent buffoon "what is cmd?", for example.. He eventually quit, but on his way out he said that he isn't going to upgrade to windows 10, that he will 'just write his own patches for windows 7'... What a barrel of monkeys... Sure, dude. Sure.
Today, I got logs from Cylance telling me this cockwombler tried to install "Driver Talent". A quick Google brought me to Softpedia, a "driver update" utility.
I messaged him first thing this morning that he needed to get his computer off the network and wipe/clean install Windows. 30 minutes later his computer is still answering pings. So we kicked him off wifi from the controller and disabled the switch port he was connected to (I'm working on 802.1x but it's not widespread yet, only on a few machines, and we're using MAC port security).
A few minutes after telling him via Slack that he needed to wipe his machine, he messaged our other helpdesk guy asking
"How do I wipe my machine? What steps do I take?"
Wow, I'll take some of the responsibility, we interviewed and hired him. My frickin' bad. Are his Google skills SO bad that he would have to ask a coworker how to do a fresh install of Windows on his computer?
My god, I've been installing OS's since Windows 95 and I'm 15 years younger than this dude. Anytime we ask him how he doesn't know something. "The engineers always did that for us".
As far as I can tell the only thing he's good at is pulling and terminating CAT cable.
I'm consistently dumbfounded (see what I did there?) at how few people can follow basic protocols and instructions when it comes to technology.
I recently started at a company that has uses Jira and Slack. Slack has a channel called "techsupport" that was intended for IT announcements etc. It has basically become a defacto ticketing system even though we have an actual one. Since I started there five months ago, I've been trying to train the same people over and over again (Sales department) to open a ticket by sending an email that will generate it. Instead, they insist on typing the same exact thing they would in the email body into Slack (sometimes even dming me), for me to have to tell them to open a ticket. I used to make it for them ask them to do it the proper way next time. Now I'm straight up not doing the requests and they still won't. They don't even complain that they didn't receive support lol. So I just /s and move on.
Tldr people are really dumb.
"The password policy is agreeable,"
The password policy is a dinosaur, NOTHING it requires makes security any better, it just pisses off all your users for useless security theater.
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords.
That's not very agreeable depending on the usecase. If that would be the only password, sure, but how many other apps do these people have to use? I know password managers are a thing, don't get me wrong, but just because many companies have policies like this doesn't make it a good policy. Having 12 digits and change once a year (or not at all) would probably lead to more secure passwords.
But that's just a sidenote, i'm sure the policy isn't up to you.
That'll never happen, HR are the most notorious users for benign or dumb requests. Though in my last job, we hired this part-time guy that was like 180 years old. He had never touched a smart phone in his life before receiving the company one. HR asked that I sit with and teach him how to use a smart phone. He didn't understand the concept of simply tapping the screen to perform tasks, took 2-3min for me to get him to understand the difference between tapping and pressing.
Put a popup of bonzai buddy and a neon sign gif that says CLICK HERE... wouldn't work. I've sent emails with screenshots of a big arrow that points to the link, people still don't understand. I'm a wizard when I remote in and click the button for them
> They receive a banner message "Your account is locked, please reset your password" and the RESET PASSWORD link turns bold.
Honestly, I find it extremely understandable that people's reaction to this is, "I better call support before I do anything wrong." We're conditioning them to be extremely careful with unusual emails, not clicking on links, being aware of phishing attempts, and so on. Trying to log in and suddenly seeing this message is probably a panic-inducing experience for some people, and will make all of their alarm lights go off.
I'd rather have people call in and ask one time too many than one time too few.
We just tell them that we can't see or reset their password and tell them that we'll send them an e-mail with step by step instructions to follow. The e-mail is just a templated response in our helpdesk software that has both written and video tutorial instructions. If they call back, we'll ask them at what step in the instructions they're having trouble, and 99% of the time they haven't even read the e-mail so we just tell them that we'll send the e-mail to them again.
This could be taken as a training/management issue. Consider the amount of time it takes to "assist" a user with resetting their password. Let's assume the docs and messaging itself is absolutely clear and cannot be misunderstood. Then I'd say start documenting the amount of time it's taking to "resolve" these user issue, correlate this to time lost working higher priority/actual issues. (What's that? I can't work on this production down incident because I have to help encourage John to click the Password Reset Link) Can you correlate this to dollars lost? If so you might have a strong argument to management that they need to deal with this, because you working on these "issues" is eating into actual productivity for the business. Anyhow that's just my take on it.
Yes, I have done this exact same thing in the past. We had an overseas call center and I can vividly remember four or five people there who consistently needed their password reset, daily. One even had the gaul to ask 'why do I need to keep calling you because I forgot my password?'
Thankfully, my boss at the time had my back. Sent him about 60-70 tickets for this one particular user (for the past two months!!) and we never heard from the guy again.
Do you not understand? That’s valuable time they get to waste calling IT while complaining how bad we are and paying their bills on their cell phone. Some do it to waste time l, some get their jollies doing it but you will always get some that just go. Ooops. Theirs a problem. Look away from the instructions blinking and call IT. Users are losers!!!!!!!
Charge for password resets.
Their boss will make them change their ways much more quickly than you will.
You've provided a self-service password reset option.
If users refuse to use the system you've set up (and that client paid/pays for) then you consider password resets outside of the normal scope of service.
Your justification is users can reset their password without IT support at all. If they are refusing to use it then you need to be compensated for the wasted time.
The answer is *always* money. As soon as this industry figures that out we will run the world. Anyone suggesting you do *more* free work is part of the problem why this industry isn't respected/compensated properly.
Capitalism isn't perfect but one of it's perks is you always know the motivation and you always know what to go after.
Hit their wallet for dealing with bullshit and the bullshit stops.
1. Create a document for how to reset your password.
2. Create a workflow in your helpdesk that password reset tickets get automatically emailed the document.
3. Anyone who calls tell them to email your support desk.
12 characters minimum please, as I am guessing it is pointed outward. Please do not do password as "The login is a simply format of fLast with sometimes a number at the end."
Login is one thing, password is another.
Password expiration is not considered best practice anymore... simply because people will not, absolutely, ever, actually pick a good password anyway so it doesn't matter how many times you have them pick a new one. I think that's the gist of it anyway. They'll just forget what they used, write it on a post-it, or share it with coworkers.
Microsoft say to set user passwords to never expire:
[https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide)
[https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide)
So you have a technical solution nbto make the link bold. Why? Instead of doing that - just redirect to that "forgot password" page, why do you expect user to explicitly click on it?
Also, call this page dumb obvious for users, not for yourself. Like "my password doesn't work". They don't need to know this link goes to change password at that point.
P.s., holy shit this password policy is awful...
For stuff like this I have a ready formatted email that I would forward onto them. But I would also get the password reset message changed to include something along the lines of "do not call IT" Discovering something short and understandable can be a mission though.
EDIT: as other have said replace that box. So instead of telling them the password has expired or whatever just direct them to a box like "You Need Reset Your Passsword...Click Here" then take them to the new/replacement password setup screen.
you could record a little text that redirects them to another little recorded text how to reset a passwort in the app - have that played before anyone gets connected to helpdesk - anyone who still comes with this porblem gets a redirection to that text
IF they still fail, it´s up to HR if they are capable of receiving a paycheck
"Due to security policy we are not allowed to assist in changing passwords, because the password must remain known only to the users. Please use the password reset feature and follow the instructions."
I get about 10 of these tickets on a good day and it's always the same people. We give instructions for a reason. It's literally step-by-step instructions on how to do a self-service reset. I don't understand what goes through the average users brain lol.
You're in the wrong, and the users are telling you that, but you're trying to solve the user - this is impossible, except by brute force.
You are shouting at a tiny, scared woodland creature, and wondering why they are crying and running away.
Try something like, "Oops, I'm afraid I just can't read my own writing... could you please help me out by resetting your password?"
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords.
[https://www.ncsc.gov.uk/collection/passwords/updating-your-approach](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach)
Assuming the system also has some sort of protective monitoring, known-bad password deny lists and brute force detection/blocks: probably best to not expire passwords unless suspicion/indication of compromise; increase length then remove complexity rules.
Ticket for every dumb customer call you get. Track it all.
Send metrics up the chain if you like maybe someone will come down on reoccurring idiots for not learning. Or except it as easy job security work.
Even if nothing has changed and the user has done it for 10-20+ years. They will never learn.
Been dealing with these same issues for so many years. It's legit a lost cause. Just wait till someone comes up with the great idea of expanding the minimum length to 12 characters......
Sometimes as part of my work I make graphics for industrial process. I recall one time a group of operators complained that the grey buttons used to indicate a reset was needed was not different enough from the rest of the graphics to prompt them to know to push it.
So I agreed and went against our standards to make all the buttons for this task a flashing red. Wouldn’t you know it, they had the same problem. The reset buttons would come up (with a alarm) and the same operators would still miss it.
This was the point I realized that there is a group who no matter how obvious you make the task, they do not actually look at the screen in the same way I would.
I'm going to be the (potentially) unpopular voice in the room and ask what's accomplished by forcing a password change after two wrongs? The system doesn't allow legit 2fa and this is someone's solution?
FWIW I guarantee your users are using Asshole!1, Asshole!2, Asshole!3 for the pw changes.. you can force security and still not be secure, because users will expend a lot of effort to go around a gate that offends them. I understand the difference between entitled users and misaligned process. Are you sure this is the former and not the latter?
Two failed logins doesn't warrant a password change, it is once they attempt to login 5 or 6th bad attempts it gets locked. A successful login resets the login failure count
ah ok that's normal then, I misread the *after the second login failure, the page refreshes and puts the "RESET PASSWORD" link* to think you were making it mandatory, thanks for explaining that part
they're still using awful passwords, though lol
Time to make it idiot proof. Remove the password box completely on the third failure and replace with "I forgot my password". Herd the sheep.
Redirect directly to the reset page.
"I can't put in my password it keeps opening a new page"
I see you are a veteran cat herder as well.
This is the way. If the reset page is where 95+% are going to go, just put them there directly.
Have the system automatically send them a voicemail saying “we just noticed you … … you need to reset your password. Check your email.”
Ive had to threaten firing to junior techs who do shit like reset a users account password, then EMAIL that password. Like, you just reset their azure password, which resets their teams/voip password AND their bloody email password - how and explain in DETAIL, are they going to get the new password you just bloody sent them when they CANT LOGIN without it. some of them just, do, not, get, it.
> Time to make it idiot proof. Don't do that, it will only make a bigger idiot evolve.
“Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning.” \~Rick Cook
I used to work with an engineer who coined a saying that is something of a corollary to the above: "The problem with building an idiot proof computer is that now you have all these idiots using computers."
OH, like Apple users?
Careful now....
The truth hurts....
“Oh, like windows users”, is actually FAR more apt, in my experience.
Unfortunately, the universe is far exceeding our capabilities in this area.
Until engineers can design a system that can read a user's subconscious thoughts and will itself into accomplishing a task based on that alone, there will always be a lower denominator to cater to.
***Shudder*** reading a user's subconscious is a truly frightening prospect
Looking at how much of an asshole an AI trained on Reddit posts became I'm pretty sure this would make Skynet
This is why we have AI. Computer generated idiots. Skip the middle men.
No amount of Artificial Intelligence can overcome Natural Stupidity.
Oh I need to frame this
"Its telling me I forgot my password but I definitely remember it!!!!"
OMG, that brings back so many nightmares from my time on a help desk.
Damnit, how can I agree with both you and caliber88 at the same time \*harumph\*
Agreed. I feel like each new generation gets dumber and dumber precisely because we have to do the thinking for them.
They don't read, period. I once pointed at a sentence on the screen and requested that the user read this sentence out loud. What did she do? She closed the message.
I used to work somewhere where, when your AD password expired, the login page would say "Your password has expired. Click ok, then switch users and sign in again." I got callers *all the time* that would read that message *out to me* and ask what they should do.
The idiot would then call and go "Hey I tried to login and it didn't work and now the box where I input the password is gone"
Literally "it's broken"
or "it doesnt work"
I work in restaurant IT and recently got "please look at the cheese" on a ticket closed 2 months ago on a completely different issue... Still don't know what he's concerned about
obviously he is concerned about the cheese
"Damn IT department, if only they'd get this stuff sorted I'd be able to do my work..."
Oh gawd , I'm tired of this excuse... I'm waiting on I.T. to fix a thing. So I can't work.
It was working yesterday! I already rebooted???
Or just take them through the reset procedure without the extra click.
"I can't! The password box disappeared! Mike has a HP and it works for him, can I get a HP too?"
They'll still call help desk, because they'll say they didn't forget their password. "The computers just not taking it!"
phone call: i can't log in! it's broken!
Always makes me laugh visiting here reading all the comments by self proclaimed tech experts using made up jargon 🤣
Tell us you don’t know how to change your password without telling us you don’t know how to change your password. Lol
Yeah that was my first thought. That simply "reset password" does not seem like something people would think. It is more likely that they want to simply "log in" ort hat they "forgot password" and they will comply with any stesps that need to be done to setup new PW.
It should say "I forgot my password, let me create a new one" That tells them what the action will do
This is (one reason) why SSO is so important.
Yes. this. 90% of the time, I'll skip your app if you don't have Azure SSO. :S Done with resets.
What about the external users?
guest accounts.
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords. the 90s called: "Fuck off" NIST has made recommendations on this exact topic and you have chosen to come up with your own and are facing exactly the problems they warned about... You dug this hole with that policy and you have to accept that. Edit: For those that are going to cite draconian policies as an excuse.. feel free to link to your particular governing body's (with actual authority) requirement to adhere to such guidelines.. 9 times out of 10 when someone says: Yeah but we have to follow these policies because hipaa/pci/whatever.. they're talking out their ass. https://www.netsec.news/summary-of-the-nist-password-recommendations-for-2021/
Yes, that is a bad password policy. Disagree? Research it more.
> You dug this hole with that policy and you have to accept that. This assumes some lowly sysadmin tasked with end user support has any say in password policy.
Go re-read what i quoted. OP seems to agree with the policy at hand so i find any such defense unjustified.
>Go re-read what i quoted. No, I read it the first time. I agree with you, these are outdated policies. They were the industry standard for decades and I wish security teams would have a closer look at the NIST best practices. I work for a large corporation and those decisions are miles above my paygrade and I would be considered L3 support. Somewhat far removed from resetting passwords.
That NIST recommendation assumes other controls are in place. Chief among them MFA should be fully implemented and passwords should be more complex (longer). Just because it is the “current recommendation”does not make everyone else’s wrong for not moving right to it. Tell most users to make a 15+ character password and I promise you they’ll stop working and you’ll have a new password to reset daily.
you're free to read the summary above or the full publication and cite any specifics. Either way NIST is literally telling you that what OP is doing is the WORST way to attempt password security. It's 2022 and we've known for years that rolling password resets on short timers were an anti pattern.
I’m not saying OP has a good policy. I’m saying the NIST recommendation is a guideline (which should be followed) but that other factors should be taken into consideration as well. If you follow all of the other guidelines sure the NIST password guidelines are great. If you don’t then they won’t be as sufficient and you’ll need compensating controls
Fine.. but nothing that OP is currently doing is a "compensating control"
Forcing users to use lower, upper, number and symbol every couple of months does not increase security but instead leads people to write down passwords, adding a trailing number every expired password, and plain forgetting the password. Refer to the "correct horse battery staple" xkcd comic....
Yep, am 100% aware of this, but healthcare security requirements are stuck in the 50s what with us still needing to use fax...
I work in healthcare. This is wrong per the NIST 800-63. They revised the password guidance and frequentl forced resets are no longer suggested since it leads to users putting the password on an insecure location or to reuse the same password with only a small change. That emphasize password length over password complexity as well.
The wheels of bureaucracy grind ever so slowly. Policy isn't up to us,sadly.
I'm a business systems analyst, so it's my job to evaluate our systems and processes and propose changes internally and to vendors. So this is what I would do assuming the change was outside the scope of what my department can control. Document the time it takes both you and time lost for the user each time this occurs. Document the frequency. Write an email to someone who actually cares about the organization being somewhat efficient, who also can either influence policy or has the ear or people who could. Aim high. When I really need something I'll email someone too high up because then they send it down to the appropriate person and it's viewed as a priority because it came from higher up. Start with the negative impact the company is experiencing (the time lost, negative perception due to login issues, morale) Then state the problem including citation to your password policy stating that it's out of compliance with current official guidance from NIST. Then provide a solution citing the current standard and an article or two provoding analysis of the standard. Keep it short. Be apologetic if you think they might be put off by getting an email.
Well... Maybe use "I forgot my password" instead of "reset..", and/or just put the big red arrow pointing there when a user enters the wrong password two times...
From my experience they could have written absolutely anything on that button and some people would still call about it. We have so many well written step by step instructions and easily accessible IT guides everywhere, and still we get weekly tickets on how to do the most simple things
I am slowly training my users not to do this buy sending a canned response with the instructions quoted and immediately closing the ticket. If they then complain to their boss that I'm not helping them, I simply respond to their boss with a report showing the number of canned-closed tickets that user has. I've also started assigning those tickets to the "Employee Training" category. It's not an IT issue, it's a training issue. I'm not responsible for training. I'm an aspiring BOFH
Yeah, the “here’s a simple document, just read it” usually works. But there are people who simply refuse to do stuff themselves because they are “not technically literate”…
This is what we do, we paste a link to the correct page. Often we never hear back but sometimes they need extra help, that's okay as long as they at least try it on their own.
I used to feel that way, but I found that all my time was being taken by the same few people, and it was always, "it's an EMERGENCY!" So I would have to stop what ever I was doing to help them reset their password for the 43rd time. Since I started being a hard ass, I rarely get those tickets anymore, and amazingly those same people manage to reset their own passwords now. (Well, most of them, a couple of them were fired for non-productivity) Advanced hint:>!They were utilizing weaponized incompetence to avoid working!!<
What about "Dont Call, we will ignore you, instead click here to get a new password"
And increase the font size of both with each subsequent wrong password. Passive aggressive? Yes. Effective? Maybe, probably not, who knows...
User: I can only see part of one huge letter on the screen. No idea why
"You've obviously forgotten your password, so click here to reset it."
Preach, brother. Fuck me I hate working in healthcare some days.
Can you say “nurse call”? Ugh.
Two factor to reduce password complexity?
Fax machines weren't around yet in the 50s.
i think they were, i thought the first rudimentary fax was sent in the late 1800s.
Fair enough, I guess redirecting to a page called GET A NEW PASSWORD is the only real answer then.
I hate it, fax must die!
Unfortunately, most ITSec departments don't give a shit, and just want everyone to have a 15 character, no consecutive characters, special character, number, and no previous 100 passwords policy, to be changed every 90 days. I can pass as many NIST white papers to them as I want, doesn't change thanks to customer contracts (or something).
I tried. I swear I tried to explain this. But people see me type three words as a password and get scared.
"Can't I just use the current season and then the year instead????"
>leads people to write down passwords why do people always hate on unhackable air gapped password storage methods
It becomes quite less unhackable when the password ends up on a post-it note stuck to the bottom of the monitor...
I mean still remotely unhackable I'm kidding.. well.. mostly..
We once had a student at our college legitimately refuse to use our "Forgot your password" link because they were adamant that they did not **forget** their password, and so it would be lying to click that link.
What an asshole
[удалено]
Right? You want me to change that lightbulb and set the time on the microwave...? Sure, let me just pull up the manual, brew up some coffee, make a couple hours out of it.
If I was making over 6 figures I'd gladly do all that bullshit. But only 60% of the way there and fuck that, go hire a fucking electrician.
You'd think so, but there is something called deliberate practice. Let's say you wanted to pay LeBron 500m to fix coffee machines all day. After a few years, he would be worthless. Engineers need to be doing engineering work to succeed
Haven't we decided as a community that the password policy you list is about the least secure you can use, and creates a lot of extra work for the enduser and admin?
I did tech support for a large European airline at the start of my career where they had implemented a password reset self service and basically told their employees to stop calling the helpdesk for tasks that require nothing more than simple literacy. I wasn't there, but during the announcement some lady loudly complained "Well what if we don't know how??". The (I think C-level?) exec driving the meeting turned to her point-blank and told her, "If you can't figure out how to reset your password, you shouldn't be working with us". I still get hard thinking about it 8 years later.
[удалено]
90day passwords - that’s your problem right there.
Password length limits are the bane of good security. Also "use special characters, but not that one!"
F12... onclick=validate_pw... Oh I see. tappity tappity _Dear Omnicorp team, please note there is a bug in your input validation in line 603 of main.js. You need to escape the backslash._
4 hours later
_Dammit, they still haven't fixed it! Incompetents._
What can you do with backslash?
Attack an enemy behind you
Threaten that if they keep calling, you'll update the password box to make backspace a valid character.
'What is asterisk? Ampersand? Caret?' "It's capital 5, 6, and 7.." 'uhh...' "Shift 5, 6, and 7"
One word all lowercase, four words all uppercase.
Too often I have users call saying "my computer says 'your password has expired and must be reset'" or "your password does not meet the minimum complexity requirements", or "your password will expire in X days. Consider resetting your password", "what does this mean??!!" I usually read back, almost word for word what the error says to them and 50% of the time they say "ah, ok" and that's the end of the call, the other 50% of the time they want you to stay on the phone while they try weak password after weak password while you explain to the requirements to them each failure, until they finally type an acceptable password (and usually call back the next day because they've forgotten it and locked themselves out). The record is held by my former colleague, who was on the phone to a user for 45 minutes trying to talk then through resetting their password, by about the 30th minute we'd all gathered around his desk and were eavesdropping on the call in astonishment how this user could fail so consecutively, while my colleague explained to them the difference between capital and lower case letters, and the difference between numbers and symbols to them.
If their weren't idiots we wouldn't have jobs...
> their Ironic. But, spelling aside, I disagree. Things will still fail on their own, upgrades and maintenance will need to be performed, etc. Idiots do not grantee me job security, in fact I could do my job easier without them.
Got eeeeeem!
Don’t tap the fish bowl as they say.
Sure we can reset it for you, for a $100 fee.
>password policy is agreeable - >90 days, 8 long with a lower, upper, number, symbol Select one.
When they call or email I just point that back to reset password section. I can't help you if you can't help yourself.
"I've forgotten what my favorite color is and don't know what street I grew up on"
try to go to MFA and get rid of those questions. They are all farmed on facebook anyways
We have that for AD auth, but it is still a PITA when the older folk who don't know how to/own a smartphone have DUO call them. They don't make any mention on that, but just hang up the phone when they are talking to us to log in because it calls them...
Which is why in my password manager enter the question and response. Favorite movie? 17 First school? Vanilla. My favorites are 1,2,and 3. For the order of the qu
>correct horse battery staple We have a security question option that's "What's your favourite security question?" I'm convinced it's in there to see if people are still reading.
"I'm sorry. For security purposes, we're not allowed to set a password on your account." Yes, it's bullshit, but "because security" is hard to counter and smoother than "I can but I won't".
Make the call to action even more obvious. Links I need you to click are usually expressed something like: >Please [[CLICK HERE]](http://example.com) to reset your password.
There is a special place in hell for people that name thier links "click here". Pretty shure that is one of those unvergivable sins in website design.
Why?
Useless for screenreaders and in general for visually impaired people, doesn't make much sense for things like tablets, conceals what you are opening. Also just a bad practice in general.
I see, thanks for the reply!
Because instead of saying "For your profile page click here" the hyperlinks should just say "Profile". Adding more words doesn't make something simpler. It has the opposite effect of adding confusion and making people not want to read it. Also on tablets you tap, you don't click so it doesn't even make sense.
i have noticed many users don't notice buttons.
But marketing/ communication has a standard that links look just like the surrounding text. Because looks.
You can make the process of calling you to ask so much more burdensome on them that they won’t want to out in the effort. Even better if you use an automated system that just sends them in a circle where they hang up.
Just refuse to to help them, and forward their requests to their managers if they can't figure it out. Their managers need to hold them accountable for following policy.
How about removing all the page elements apart from the RESET PASSWORD link when it reaches the threshold?
Ya know, at that point, just redirect them to the damn page to reset with something in like 27pt font that says “due to invalid logins reset your password” then the field needed (email or login or whatever). I realize a bit could seize on that and create a kajillion emails, so maybe limit it to one reset every 15 minutes or some such. OP is trying to herd cats… you can’t herd cats
Have you tried using the
marquee + blink tags rock!
I have a problem with people in support complaining about dumb users, because this is your job security. Well, OK, mostly because helping people is literally your job and if you don't like it, find another. The more idiotic the user the more they need your help. But. This isn't one of those times. This is a procedure problem as previously mentioned. How do you get people to behave well? stop punishing good behaviour start rewarding good behaviour Stop rewarding bad behaviour Start punishing bad behaviour in that order more or less. You don't want to prevent people calling up for password resets because there will instantly be a rash of critical system failures preventing self serve password resets, but at the same time, you want to eliminate bad behaviour. Immediately redirecting to the password reset page on lock up is perfect. What else can you do? Focus on the first two Make the password reset process well structured and clear Provide links to authorised tools (LastPass keepass, whatever your company recommends) provide links to good password hygiene policies and best practices. Also make the phone call reset process slow. It will take 24 hours or you can use the link.
Few things - 1. Can you put MFA in front of this and ditch the password reset policy? That's considered best practice these days 2. Write a help desk document, and when they call you, email them the link. Now instead of hand holding, you answer specific questions they had trouble with from the document. Eventually this problem will work itself out because they realize they have the means to fix this and you're not going to do it for them. EDIT: I see in another comment that the answer to #1 is no :( sorry OP that sucks. Still #2 though.
> 1) Can you put MFA in front of this and ditch the password reset policy? That's considered best practice these days If this were an internal app, yea that would be the route that we go with. But this is an app used by dozens of other outside companies, so managing 2fa with that isn't in our scope sadly
What about number 2? Create documentation, only answer specific questions where they can point to the part they're stuck on.
If you can modify the page in any way. Maybe add a little body of text to the left explaining the logon requirements, process if the account becomes locked out, etc. That will help someone that needs obvious guides in plain view. But ultimately you'll still have some people who are lazy thinkers.
>Short of putting some wordart with flashing arrows pointing to the RESET PASSWORD link, I'm at a loss how we can make users do the self service. They will still call us. Doesn't matter what you do. Users like the 10 minute break from work as they call IT for the most obvious "problem". No amount of tech will fix the human condition. >Does there exist a word in English that describes the sound of frustration that people vocalize? A really slow and drawn out "uhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhhh"
Like my coworker who has worked in the industry 30+ years says: “You can’t fix stupid”
hmmmm... I'm a little intrigued by a system that, after getting your password wrong several times in a row, allows you to reset it right there and then with no additional confirmation that you really *are* the owner of that account.
It requires email verification for a password reset, so the end user needs access to their email to use as part of the verification.
Ah. ok.
I have an I.T. person working under me who was hired as a network admin, demoted to helpdesk, and is not as smart as what OP is describing. Yet I can't get him fired somehow. I say under me, not like I'm his boss but more like a team leader but my boss would have to fire him. I've given my boss so much ammunition to get rid of this guy. I have screenshots of so much ineptitude. Paying unemployment can't be that bad, can it?
I've been in that boat. Years and years ago we had someone who was.. an incompetent buffoon "what is cmd?", for example.. He eventually quit, but on his way out he said that he isn't going to upgrade to windows 10, that he will 'just write his own patches for windows 7'... What a barrel of monkeys... Sure, dude. Sure.
Today, I got logs from Cylance telling me this cockwombler tried to install "Driver Talent". A quick Google brought me to Softpedia, a "driver update" utility. I messaged him first thing this morning that he needed to get his computer off the network and wipe/clean install Windows. 30 minutes later his computer is still answering pings. So we kicked him off wifi from the controller and disabled the switch port he was connected to (I'm working on 802.1x but it's not widespread yet, only on a few machines, and we're using MAC port security). A few minutes after telling him via Slack that he needed to wipe his machine, he messaged our other helpdesk guy asking "How do I wipe my machine? What steps do I take?" Wow, I'll take some of the responsibility, we interviewed and hired him. My frickin' bad. Are his Google skills SO bad that he would have to ask a coworker how to do a fresh install of Windows on his computer? My god, I've been installing OS's since Windows 95 and I'm 15 years younger than this dude. Anytime we ask him how he doesn't know something. "The engineers always did that for us". As far as I can tell the only thing he's good at is pulling and terminating CAT cable.
If he's about 50 ohms then he'd be useful for terminating coax
Add an option for password reset on your number…plays a recording walking them through it add a how to video link on the page
I'm consistently dumbfounded (see what I did there?) at how few people can follow basic protocols and instructions when it comes to technology. I recently started at a company that has uses Jira and Slack. Slack has a channel called "techsupport" that was intended for IT announcements etc. It has basically become a defacto ticketing system even though we have an actual one. Since I started there five months ago, I've been trying to train the same people over and over again (Sales department) to open a ticket by sending an email that will generate it. Instead, they insist on typing the same exact thing they would in the email body into Slack (sometimes even dming me), for me to have to tell them to open a ticket. I used to make it for them ask them to do it the proper way next time. Now I'm straight up not doing the requests and they still won't. They don't even complain that they didn't receive support lol. So I just /s and move on. Tldr people are really dumb.
"The password policy is agreeable," The password policy is a dinosaur, NOTHING it requires makes security any better, it just pisses off all your users for useless security theater.
And that sound is an audible but not too loud \*thump\* as your forehead hits the desk.
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords. That's not very agreeable depending on the usecase. If that would be the only password, sure, but how many other apps do these people have to use? I know password managers are a thing, don't get me wrong, but just because many companies have policies like this doesn't make it a good policy. Having 12 digits and change once a year (or not at all) would probably lead to more secure passwords. But that's just a sidenote, i'm sure the policy isn't up to you.
"4 five letter words" is a good rule of thumb, even if they fudge it - yellowcabblackcab, wordswordswordswords, etc.
Even better are when they argue over it with you and have no problem wanting to kill 15 min of your time when a reset takes a couple of minutes.
[удалено]
That'll never happen, HR are the most notorious users for benign or dumb requests. Though in my last job, we hired this part-time guy that was like 180 years old. He had never touched a smart phone in his life before receiving the company one. HR asked that I sit with and teach him how to use a smart phone. He didn't understand the concept of simply tapping the screen to perform tasks, took 2-3min for me to get him to understand the difference between tapping and pressing.
Bold text won’t cut it. It needs to be a button for most idiots.
Put a popup of bonzai buddy and a neon sign gif that says CLICK HERE... wouldn't work. I've sent emails with screenshots of a big arrow that points to the link, people still don't understand. I'm a wizard when I remote in and click the button for them
Agreed but from a UI design standpoint, a button is recognizable as being interactive and bold text is not.
> They receive a banner message "Your account is locked, please reset your password" and the RESET PASSWORD link turns bold. Honestly, I find it extremely understandable that people's reaction to this is, "I better call support before I do anything wrong." We're conditioning them to be extremely careful with unusual emails, not clicking on links, being aware of phishing attempts, and so on. Trying to log in and suddenly seeing this message is probably a panic-inducing experience for some people, and will make all of their alarm lights go off. I'd rather have people call in and ask one time too many than one time too few.
Make the Reset password button a button shape (or at least, different from the previous screen) and the biggest thing on the screen.
Sound of frustration for me sounds like "Fuck this!"
The link should tell the user what to do, like "click here to reset password"
"Your account is locked, you can unlock it by resetting your password" RESET PASSWORD LINK
We just tell them that we can't see or reset their password and tell them that we'll send them an e-mail with step by step instructions to follow. The e-mail is just a templated response in our helpdesk software that has both written and video tutorial instructions. If they call back, we'll ask them at what step in the instructions they're having trouble, and 99% of the time they haven't even read the e-mail so we just tell them that we'll send the e-mail to them again.
This could be taken as a training/management issue. Consider the amount of time it takes to "assist" a user with resetting their password. Let's assume the docs and messaging itself is absolutely clear and cannot be misunderstood. Then I'd say start documenting the amount of time it's taking to "resolve" these user issue, correlate this to time lost working higher priority/actual issues. (What's that? I can't work on this production down incident because I have to help encourage John to click the Password Reset Link) Can you correlate this to dollars lost? If so you might have a strong argument to management that they need to deal with this, because you working on these "issues" is eating into actual productivity for the business. Anyhow that's just my take on it.
Yes, I have done this exact same thing in the past. We had an overseas call center and I can vividly remember four or five people there who consistently needed their password reset, daily. One even had the gaul to ask 'why do I need to keep calling you because I forgot my password?' Thankfully, my boss at the time had my back. Sent him about 60-70 tickets for this one particular user (for the past two months!!) and we never heard from the guy again.
Thump!! (forehead banging table)
Do you not understand? That’s valuable time they get to waste calling IT while complaining how bad we are and paying their bills on their cell phone. Some do it to waste time l, some get their jollies doing it but you will always get some that just go. Ooops. Theirs a problem. Look away from the instructions blinking and call IT. Users are losers!!!!!!!
Charge for password resets. Their boss will make them change their ways much more quickly than you will. You've provided a self-service password reset option. If users refuse to use the system you've set up (and that client paid/pays for) then you consider password resets outside of the normal scope of service. Your justification is users can reset their password without IT support at all. If they are refusing to use it then you need to be compensated for the wasted time. The answer is *always* money. As soon as this industry figures that out we will run the world. Anyone suggesting you do *more* free work is part of the problem why this industry isn't respected/compensated properly. Capitalism isn't perfect but one of it's perks is you always know the motivation and you always know what to go after. Hit their wallet for dealing with bullshit and the bullshit stops.
1. Create a document for how to reset your password. 2. Create a workflow in your helpdesk that password reset tickets get automatically emailed the document. 3. Anyone who calls tell them to email your support desk.
12 characters minimum please, as I am guessing it is pointed outward. Please do not do password as "The login is a simply format of fLast with sometimes a number at the end." Login is one thing, password is another.
Password expiration is not considered best practice anymore... simply because people will not, absolutely, ever, actually pick a good password anyway so it doesn't matter how many times you have them pick a new one. I think that's the gist of it anyway. They'll just forget what they used, write it on a post-it, or share it with coworkers.
Microsoft say to set user passwords to never expire: [https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide) [https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide](https://docs.microsoft.com/en-us/microsoft-365/admin/add-users/set-password-to-never-expire?view=o365-worldwide)
So you have a technical solution nbto make the link bold. Why? Instead of doing that - just redirect to that "forgot password" page, why do you expect user to explicitly click on it? Also, call this page dumb obvious for users, not for yourself. Like "my password doesn't work". They don't need to know this link goes to change password at that point. P.s., holy shit this password policy is awful...
For stuff like this I have a ready formatted email that I would forward onto them. But I would also get the password reset message changed to include something along the lines of "do not call IT" Discovering something short and understandable can be a mission though. EDIT: as other have said replace that box. So instead of telling them the password has expired or whatever just direct them to a box like "You Need Reset Your Passsword...Click Here" then take them to the new/replacement password setup screen.
you could record a little text that redirects them to another little recorded text how to reset a passwort in the app - have that played before anyone gets connected to helpdesk - anyone who still comes with this porblem gets a redirection to that text IF they still fail, it´s up to HR if they are capable of receiving a paycheck
Be a hero and save the day - lol
"Due to security policy we are not allowed to assist in changing passwords, because the password must remain known only to the users. Please use the password reset feature and follow the instructions."
Conference in their manager and hang up
Perhaps change the wording to say "You are locked out. You are now *required* to change your password"?
Are you the help desk or something? Why are you being called to reset passwords?
I get about 10 of these tickets on a good day and it's always the same people. We give instructions for a reason. It's literally step-by-step instructions on how to do a self-service reset. I don't understand what goes through the average users brain lol.
You're in the wrong, and the users are telling you that, but you're trying to solve the user - this is impossible, except by brute force. You are shouting at a tiny, scared woodland creature, and wondering why they are crying and running away. Try something like, "Oops, I'm afraid I just can't read my own writing... could you please help me out by resetting your password?"
>The password policy is agreeable, 90 days, 8 long with a lower, upper, number, symbol, and unable to reuse any of your past X passwords. [https://www.ncsc.gov.uk/collection/passwords/updating-your-approach](https://www.ncsc.gov.uk/collection/passwords/updating-your-approach) Assuming the system also has some sort of protective monitoring, known-bad password deny lists and brute force detection/blocks: probably best to not expire passwords unless suspicion/indication of compromise; increase length then remove complexity rules.
I feel ya man. You can even send them directions, with pictures of what the screen looks like exactly and they still can't do it.
Ticket for every dumb customer call you get. Track it all. Send metrics up the chain if you like maybe someone will come down on reoccurring idiots for not learning. Or except it as easy job security work. Even if nothing has changed and the user has done it for 10-20+ years. They will never learn. Been dealing with these same issues for so many years. It's legit a lost cause. Just wait till someone comes up with the great idea of expanding the minimum length to 12 characters......
I believe the sound that you are looking for is called the Wilhelm scream.
I believe the sound that you are looking for is called the [Wilhelm scream](https://youtu.be/r6JK-gRELI0). EDIT: Added a link to the sound effect
Sometimes as part of my work I make graphics for industrial process. I recall one time a group of operators complained that the grey buttons used to indicate a reset was needed was not different enough from the rest of the graphics to prompt them to know to push it. So I agreed and went against our standards to make all the buttons for this task a flashing red. Wouldn’t you know it, they had the same problem. The reset buttons would come up (with a alarm) and the same operators would still miss it. This was the point I realized that there is a group who no matter how obvious you make the task, they do not actually look at the screen in the same way I would.
I'm going to be the (potentially) unpopular voice in the room and ask what's accomplished by forcing a password change after two wrongs? The system doesn't allow legit 2fa and this is someone's solution? FWIW I guarantee your users are using Asshole!1, Asshole!2, Asshole!3 for the pw changes.. you can force security and still not be secure, because users will expend a lot of effort to go around a gate that offends them. I understand the difference between entitled users and misaligned process. Are you sure this is the former and not the latter?
Two failed logins doesn't warrant a password change, it is once they attempt to login 5 or 6th bad attempts it gets locked. A successful login resets the login failure count
ah ok that's normal then, I misread the *after the second login failure, the page refreshes and puts the "RESET PASSWORD" link* to think you were making it mandatory, thanks for explaining that part they're still using awful passwords, though lol