Page 2 of 3

Re: Expiring Password

Posted: Sat Mar 23, 2019 4:06 am
by Mikerowaved
russellhltn wrote:But from some PMs, I've learned that "shared passwords" have indeed been a problem in some units.

We currently have 3 STS's in our stake and all our clerk PC's are setup with a Windows "Stake Admin" login and an MLS "Stake Admin" login, which is indeed shared among the 3 of us. I just don't see the necessity of forcing PW changes, unless there were calling changes to go along with.

Re: Expiring Password

Posted: Sat Mar 23, 2019 7:55 am
by scgallafent
Mikerowaved wrote:I just don't see the necessity of forcing PW changes, unless there were calling changes to go along with.

I won’t go into some of the things we’ve seen, but I’ll say that I do see the need. And it affects me — I have to change my MLS password regularly along with everyone else.

Re: Expiring Password

Posted: Tue Apr 16, 2019 6:03 pm
by emarkp
scgallafent wrote:While the article has valid points, we discovered several interesting things as we started enabling this. There are a few benefits to forcing password changes on a semi-regular basis in our environment.


Hey, great for you. Sucked for us. We had Stake Conference + General Conference right after some of our people changed passwords, and caused quite a conundrum Sunday. It also takes 2 admins now to change someone's password! Thanks for that surprise at the same time!

This change was not a good one. It is foolish to force this on every unit. Whoever made this decision should be fired.

Re: Expiring Password

Posted: Tue Apr 16, 2019 6:40 pm
by emarkp
scgallafent wrote:I won’t go into some of the things we’ve seen, but I’ll say that I do see the need. And it affects me — I have to change my MLS password regularly along with everyone else.

So decreasing security and causing inconvenience is okay because it's inconvenient to you too? This is not a valid argument. It's also bad policy.

Re: Expiring Password

Posted: Wed Apr 17, 2019 2:20 pm
by scgallafent
emarkp wrote:We had Stake Conference + General Conference right after some of our people changed passwords, and caused quite a conundrum Sunday.

So are you saying that your users were prompted to change their passwords, changed their passwords, and then forgot the new passwords because they didn't have to use them for three weeks, which prevented them from logging in? Or was there some other error that prevented them from logging in?

emarkp wrote:So decreasing security and causing inconvenience is okay because it's inconvenient to you too? This is not a valid argument. It's also bad policy.

No, I'm not saying that. I'm pointing out that many of the developers use these systems in their "Sunday" jobs, so we know how users are affected because we are affected by the same changes.

There is an argument that comes up occasionally saying that the developers don't know what it's like in the "real world" and we cause so many problems for clerks and leaders because we don't understand what they need. Many of us use our software weekly (or more often) and we spend time alpha and beta testing on our own wards and stakes before we ever release changes to a larger beta group, let alone the entire Church.

Re: Expiring Password

Posted: Wed Apr 17, 2019 2:40 pm
by drepouille
emarkp wrote:We had Stake Conference + General Conference right after some of our people changed passwords, and caused quite a conundrum Sunday.


Us, too. Stake conference on March 31 and GC on April 7th. Then my bishop asked me to print some checks, and I couldn't remember my new password for several minutes. I nearly panicked, because the bishop needed checks to help a needy elderly sister. After I remembered my new password, I put a reminder into my phone.

emarkp wrote:It's also bad policy.


Well no. This is industry standard security policy, especially for officers of any organization who have as much power as we do to modify personal data.

Re: Expiring Password

Posted: Wed Apr 17, 2019 5:57 pm
by davesudweeks
Personally, I am not against a reasonable password change policy. I understand the need to change it from time to time. I am retired military and know how they sometimes go overboard on passwords. However, this recent change has me scratching my head. According to the MLS message that came in this evening:

1. I must change my password at least once per quarter. - no problem with that for financial data access.
2. When I change my password each quarter, I must have 2 other members who have access to financial data sitting by me when I change my password so they can validate that I changed my password. - HUH???

Step 2 has me at a loss. I understand having an administrator assist or even another person or two with financial access assist if someone forgets their password and needs it reset. But making half the bishopric sit in the clerk's office every time one of them has to simply change their password every quarter? Really?

Re: Expiring Password

Posted: Thu Apr 18, 2019 8:53 am
by scgallafent
davesudweeks wrote:2. When I change my password each quarter, I must have 2 other members who have access to financial data sitting by me when I change my password so they can validate that I changed my password. - HUH???

Step 2 has me at a loss. I understand having an administrator assist or even another person or two with financial access assist if someone forgets their password and needs it reset. But making half the bishopric sit in the clerk's office every time one of them has to simply change their password every quarter? Really?

Something got lost in translation. You can change your own password without any additional validation. Changing the password for another user (in case of a forgotten or locked password) requires two finance authorizers.

Re: Expiring Password

Posted: Thu Apr 18, 2019 10:51 am
by davesudweeks
scgallafent wrote:
davesudweeks wrote:2. When I change my password each quarter, I must have 2 other members who have access to financial data sitting by me when I change my password so they can validate that I changed my password. - HUH???

Step 2 has me at a loss. I understand having an administrator assist or even another person or two with financial access assist if someone forgets their password and needs it reset. But making half the bishopric sit in the clerk's office every time one of them has to simply change their password every quarter? Really?

Something got lost in translation. You can change your own password without any additional validation. Changing the password for another user (in case of a forgotten or locked password) requires two finance authorizers.

Well this is good news and confirms the behavior I saw when I had to do my first password change in MLS in about 10 years. But this is a quote from the MLS message that had me scratching my head: "If the user has access to financial data, the password change must be validated by two other users with access to finance data." There was no mention of resetting a password. The entire text was about changing a password. Two entirely different scenarios...

Re: Expiring Password

Posted: Fri May 03, 2019 10:06 am
by emarkp
drepouille wrote:Well no. This is industry standard security policy, especially for officers of any organization who have as much power as we do to modify personal data.


It's actually not. That's the point of the thread. The evidence is that compelling a password change *reduces* security.