Expiring Password

Discussions around using and interfacing with the Church MLS program.
jdlessley
Community Moderators
Posts: 7232
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Expiring Password

Postby jdlessley » Sun Mar 17, 2019 5:57 pm

Today I and a bishopric counselor completing a donation batch were presented with a pop-up that stated our passwords were expiring and we needed to change our passwords. It also stated we only had three more log-ons to make the change.

In the fifteen years I have been using and signing onto MLS I have not seen this. Has anyone else seen this? Is this a new requirement? If so, is the period between password changes anything like the one for the LDS Account workforce?
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center?

eblood66
Senior Member
Posts: 3210
Joined: Mon Sep 24, 2007 8:17 am
Location: Cumming, GA, USA

Re: Expiring Password

Postby eblood66 » Sun Mar 17, 2019 6:26 pm

I've seen this for a while now. I assume we've had this requirement because we were on the finance beta and could process EFT reimbursements via MLS (although I never did it in MLS--I always used LCR). I believe it is requiring that we change passwords every 3 months.

scgallafent
Church Employee
Church Employee
Posts: 2117
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Expiring Password

Postby scgallafent » Mon Mar 18, 2019 8:59 am

jdlessley wrote:In the fifteen years I have been using and signing onto MLS I have not seen this. Has anyone else seen this? Is this a new requirement? If so, is the period between password changes anything like the one for the LDS Account workforce?

We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

User avatar
Mikerowaved
Community Moderators
Posts: 3638
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Expiring Password

Postby Mikerowaved » Mon Mar 18, 2019 12:17 pm

scgallafent wrote:We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.
So we can better help you, please edit your Profile to include your general location.

russellhltn
Community Administrator
Posts: 26626
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Expiring Password

Postby russellhltn » Mon Mar 18, 2019 1:42 pm

Mikerowaved wrote:I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.

See page 24 of this NIST publication 800-63B. This hasn't made it's way into the government - yet. I think it's because of the additional password checking the new guidelines require. Maybe once Microsoft adds it to their standard OS (much like the periodic change change and complexity requirements in the Group Policy), then it will get broader use.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

scgallafent
Church Employee
Church Employee
Posts: 2117
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Expiring Password

Postby scgallafent » Mon Mar 18, 2019 3:20 pm

Mikerowaved wrote:
scgallafent wrote:We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.

While the article has valid points, we discovered several interesting things as we started enabling this. There are a few benefits to forcing password changes on a semi-regular basis in our environment.

russellhltn
Community Administrator
Posts: 26626
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Expiring Password

Postby russellhltn » Mon Mar 18, 2019 4:09 pm

scgallafent wrote:While the article has valid points, we discovered several interesting things as we started enabling this. There are a few benefits to forcing password changes on a semi-regular basis in our environment.

It would be interesting to find out.

A few ideas come to mind:
Some units have accounts "by function" instead of "by user". Forcing the change means the prior user is locked out.
Likewise, someone may share their password as a matter of expediency. And by forcing the change, they are locked out.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

scgallafent
Church Employee
Church Employee
Posts: 2117
Joined: Mon Feb 09, 2009 4:55 pm
Location: Riverton, Utah

Re: Expiring Password

Postby scgallafent » Mon Mar 18, 2019 4:27 pm

russellhltn wrote:Some units have accounts "by function" instead of "by user". Forcing the change means the prior user is locked out.
Likewise, someone may share their password as a matter of expediency. And by forcing the change, they are locked out.

Both of those scenarios are potential concerns.

User avatar
Mikerowaved
Community Moderators
Posts: 3638
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Expiring Password

Postby Mikerowaved » Mon Mar 18, 2019 11:19 pm

russellhltn wrote:See page 24 of this NIST publication 800-63B.

I think you meant page 14 using the pages numbers, which is the 24th page as a PDF viewer would count them.
So we can better help you, please edit your Profile to include your general location.

russellhltn
Community Administrator
Posts: 26626
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Expiring Password

Postby russellhltn » Tue Mar 19, 2019 2:15 am

Mikerowaved wrote:
russellhltn wrote:See page 24 of this NIST publication 800-63B.

I think you meant page 14 using the pages numbers, which is the 24th page as a PDF viewer would count them.

Yes, page 24 of the PDF.

But from some PMs, I've learned that "shared passwords" have indeed been a problem in some units. So, NIST not withstanding, a requirement to periodically change the passwords will likely continue in certain church apps for the foreseeable future.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.


Return to “MLS Support, Help, and Feedback”

Who is online

Users browsing this forum: No registered users and 1 guest