dslreports logo
    All Forums Hot Topics Gallery


how-to block ads

Search Topic:
share rss forum feed



Mail Logon Problems - Password Not Accepted

It took a bit of research but I finally determined why my password mysteriously stopped working on two separate occasions. Being suspicious, I assumed that someone had somehow convinced AT&T support to reset my password so they could gain access to my account. AT&T support was only able to say that they had no record of that on my account and all they could do was to reset me to a new temporary password. I then changed the temporary to a new selection and life was fine and then, a few months later, it happened again. I received the same response from AT&T support the second time around. What the heck? I enjoyed talking to the support people in the Philippines, they were nice folks but they appeared to have zero tools to trace activity or do anything constructive other than a password reset and read canned procedures.

From my research I found that passwords are maintained in a one-way encrypted state on AT&T servers so no employee at AT&T can grab your password. All email systems have a master password for tech support and internal security usage but only very few people have access to it and, if used, all activity is heavily logged. So basically if you find your password is being rejected then you are usually correct in assuming your account has been compromised. Well, with AT&T that’s – not – exactly – true. My first password was old, about three years. It was eight alpha characters long and was within AT&T’s password rules when I originally set it up. But guess what? They decided to change the rules to the following without notifying me:

Your password must comply with the following rules:
* must be at least 6 characters long
* must contain numbers and letters combined
* must be different from your user ID(email address)
* must not contain white spaces
* must not contain illegal chars: " ' " (tick)
* may contain special characters :~!@#$%^&*()-_|[]{}=/?.,:;"\

At the point of logging on they have your password in clear text, they check it against the rules, then encrypt it and compare it to the one they have stored in the database for your account. Notice that they check the rules first before they encrypt and check your account. That’s the got ya! They reject a perfect password before even checking to see if it matches.

The second time around I set a password that had three numbers, three alpha characters, and one special character from the list above. The special character was not the underscore character. A couple of months later they changed the rules again without notification to the following and guess what happened to me:

* Your Password must be between 6-16 characters in length.
* Your Password can be comprised of any combination of letters, numbers and underscore.
* Your Password cannot be the same as your User ID.
* Your Password should be something that is easy for you to remember.
* Do not use anything easily associated with you.
* The more complex your Password is, the more secure it will be.
* Your Password is cAsE sEnSiTiVe, so make sure CAPS LOCK is not on.

You got it, can’t log on and back on the phone with AT&T support. So how would you fix this? They could check at the point of logon to see if your account validated password matched the current rule set. But then what? Send you an email telling you to change your password just like every phisher does trying to scam you. “Houston we have a problem”; It appears that they just keep this their little secret and then play dumb about it when you call AT&T support. The cat is now out of the bag. The thing that is really insidious about it is that they don’t appear to update all the servers to the new rules at the exact same time. Load balancing front-end servers may send you to a different server on each logon attempt, which means sometimes you to logon and sometimes you don’t until they are all updated and you are completely locked out. How many people have cursed Bill Gates’ Outlook client or thought they were infested with spyware? I Report – You Decide

Have you ever used this password reset url

You'll need to answer security questions you selected when you created the Member ID

If you have never updated the security questions here's a page link
My account log in page