Of passwords and resets...

Sometimes they lock you out.

Since I decided to start writing on substacks last night, I had to log in to substacks on a couple of places, and each time I picked the email login method. Why? I don’t know my substacks password. I don’t even know if I ever made one? I guess they probably make you select a password when you sign up huh? And I probably just used Lastpass or iOS to make something up for me and save it somewhere. Out of sight and out of mind. Until the day comes when email login doesn’t work and I need the darn password that is.

That got me thinking, which is better? Login solely via OTPs (one time password) seems like a pretty new thing to me. Yeah I know about 2FA (2-factor authentication, for the uninitiated), and that’s gotten pretty commonplace. But logging in just based on that? Not sure how I feel about that.

For sure it’s great that I don’t have to deal with having more passwords in my password app, and sometimes having a dozen similar passwords for a dozen similar sites (more on that later). But you know, you gotta wait. For the email to arrive. And if you use Gmail with the iOS email app… You will know that there is a big delay, because Apple and Google don’t like each other very much. And so yeah, I’m forced to use the Gmail app in such circumstances. Because you know instant gratification email delivery. Yes, I know some other site besides substack uses this too, like Medium. That was probably the first site I encountered that works like this, and I don’t think there is even a password option? Either way, I don’t use that many services that use this authentication method.

Now, my workplace does this thing where you have to change you password every so often. It used to be something like 3 months, but they decided to change it to a year. And just yesterday I decided to change my password after getting emails about the password expiring soon for like a week. Hey, don’t judge. It was the Chinese New Year holidays last week so I was out of the office… And Monday was… Well, Monday was recovery period.

Resetting the password to my laptop was easy enough. After going through like half a dozen passwords that got rejected because they didn’t meet the security requirements, I finally got myself a new password. It’s only day 2 of new password and I am still constantly typing and retyping my old password for half a dozen times before remembering it’s because I changed my password… But that’s beside the point.

I have to change my login to the admin system separately because it’s just a different account. Now here comes the problem. They have different password rules from the laptop password, so the password was actually too long to have both be the same. (I know you shouldn’t reuse your passwords and all but do you dare swear you don’t ever, ever reuse a password?) Finally, I find a password that meets the criteria, and that I can sort of remember - at least it’s logging on to a website and I can erm, save the password on my browser. But then comes the bigger problem. I can’t find my original, existing password! Everything I thought it was, wasn’t it. I’d been relying solely on the autofill to login now for months now and it clearly shows. I went to Microsoft Edge (yeah, the dang admin website would only open properly for me in that browser) password manager to try and find the password, and am greeted by a dozen sites for work related stuff, with an equally vast number of passwords… None of which worked. Resigned to my fate, I decided to reset my password. And then it happened. I used the newly emailed password, and they locked me out. Something about too many wrong tries….

Damn.

So I waited. I’d read somewhere in the notes that the account will be auto locked for 15 minutes after 10 wrong attempts. So I waited. 20 minutes. Log in. Nope. Still locked. Was it something wrong with the password reset? I hit the reset button again and went through the steps. New password came and… Nope! Still locked out. I waited another 30 mins or so and it was the same.

Dang.

And I actually *had* work to do in the admin system too. Something called GR aka Goods Receipt for the lab. I gave up and sent an email to IT support.

Of course, if you know anything about IT support, you’d know that they typically don’t respond very fast. They are probably a tiny team, busy dealing with everyone who accidentally locked themselves out of their accounts like I did.

So I gave up, went for lunch… Got the email that the request as been ‘initiated’, whatever that means. And then I decided to try then 2nd password resetted password (does that even make sense?) and… BOOM. I got in. Oh great. Maybe the lock out period was like a few hours. Or lunch time. Or something.

I don’t know. Either way, I managed to log in. Set a new password. Got my browser to remember it. And found a button to cancel the IT help request.

The best part? I tried looking for where the password was saved - like under which of the dozen sites - on Microsoft Edge and just couldn’t find any with the new password. I’d search by the site name, website, etc… Just short of going through the entire list myself. Erm? Ok? But the autofill was working, I was getting logged in, presumably with the new password… So what gives? I changed the entry that corresponds to the website manually, so that when next year rolls around I can actually find my correct, existing password to change it without going through all these again.

Yes. I spent waayyy too much time on this trivial thing yesterday, instead of you know, actually doing work. But it’s part and parcel of the job I guess…

We’ll see if I’m still around to have to change my passwords next year… ><

Update: It’s day 4 of the password change. I still, be default, type the old password, before I get declined and remember it’s changed.