What’s Rule Number One Of Creating Passwords?

As an independent consultant, I see all kinds of tech support issues, but the best stories never seem to come from my regular clients. Instead, they almost always come from contract gigs I use to fill in some of the slow times.

I was on a three-month contract, essentially on call as overflow phone support. It was an easy gig. I just sat at home, and when the call center got too busy, they would start switching over tickets to some of us remote guys. All I had to do was be available between certain hours and have a quick turnaround on the first touch.

This was in the beginning days of the health crisis when everyone had just started working from home. The call center must have been getting slammed early on this particular day, because I woke up and immediately had a ticket for a password reset. That almost never happens. However, no big deal. Just log on, check the status, do a quick update, and contact the user. He picks right up.

Me: “Hello, I see you have a problem resetting your password to access the network via the VPN.”

Customer: “Yeah, I have tried the reset password features about a dozen times now, and every stupid time, it just errors out.”

Me: “Okay, let me check a few things.”

I browse his user profile, and everything looks okay. He is not suspended or locked out. Figuring that he must just be typing the wrong password over and over again, I do reset his password in the admin portal to start troubleshooting.

Me: “Okay, I reset your password on the network. Try to log in now but use the password [password].”

Customer: “Gotcha, just a sec.” *Types* “Great, that worked!”

Me: “Maybe you were just typing the wrong password over and over again. Sometimes it happens.”

Customer: “Okay, now I need to sign out and reset my password, though.”

Me: “Do you mean you want to set it to something other than the one I just gave you?”

Customer: “Yeah, the one you gave me isn’t my password.”

Me: *A little confused* “Well, I reset your password to that, but I can set it so next time you log in, you can set your password to whatever you like.”

Customer: “Yeah, I need to change it back to my password so everything works.”

Me: *Still confused* “Everything should work if you use that password, but if you want to change it, that is not a problem.”

Customer: “Look. I told you, that is not my password. I need to set it back to my password.”

Me: *Confused but giving in at this point* “Okay. I’ve set your user profile so the next time you log in, it will prompt you to input a new password. Do you want to try while I am on the phone?”

Customer: “Yeah, let me give it a try.”

I wait about ninety seconds, hearing the customer pounding away on his keyboard, cursing. Finally, frustrated, he gets back on the line.

Customer: “See, now it won’t take my password. What the h*** is going on here?”

Me: “Let me reset your password back to [password] and try it again.”

It works with the same result, so clearly the customer must not be entering the password confirmation correctly.

Customer: “But I still need to change the password back to my password.”

Me: “Okay, let me set it so you can reset the password at your next login once again. If it doesn’t work, can you send me a screenshot of the error?”

Customer: “Yeah, no problem. Let me try this all again.”

Another ninety seconds pass with the customer cussing in the background.

Customer: “This f****** thing simply will not let me reset my password!”

Me: “[Customer], send me a picture of the error, please, if you can, through your phone or another device.”

After stumbling around for about ten minutes, he finally got a picture of the screen to me via his iPad.

The error said, “Password is not valid; enter new password.”

Now I understood what he was doing wrong. On this credential management system, when a password conflicts with the security policy, it will generate an error that says, “[Attempted Password] is not valid; enter new password.” So, if your attempted reset was “dollhouse123,” and that violated the password policy, the error would say, “dollhouse123 is not a valid password.”

All this time, the customer was trying to type in his password as the word “password,” which created the confusing error message.

I explained to the customer that “password” was not a valid password under the new security policies. He objected at first because he was also under the false impression that only his username and that password would give him access to all of his files. I also had to explain to him the concept of how a network user profile works, in addition to reminding him of the new policy.

Total call time: 139 minutes. Good thing I was getting paid by the hour.