Med Express Password rant

Country Flier

Country Flier

Cleared for Takeoff
Joined
Sep 20, 2019
Messages
1,058
Display Name
Display name:
CFL
Okay, I'm officially declaring the med express password requirements the most ridiculous password requirements in the galaxy. I go to med express, type in my password, but because I haven't been there in 365 days I'm told I have to change it...so I do. Here are the responses I get (and BTW, they tell you almost none of this before you create a password):
---Must contain a number
ok, I add a number
---Must contain a special character
ok, I add a special character
---Must be more than 12 digits
sigh, ok, add more words to make 12 digits
---Can not repeat characters
long sigh, ok, I'll change the words so no repeating of digits
---Must contain capital letter
#$%^&# I'll add a #$%^& CAPITALs
---Must not have more than one capital
You've got to be frickin kidding??? Is this really necessary?
/rant over
 
You should have to have log-ins for multiple federal websites. I literally have to keep a notebook to keep up. Some use your email, some require a username. Your username for one, may be different than another because it wasn't available.

Then passwords, some require special characters, some prohibit it. Some require 8 to 12 characters, some require more than 12 characters. Some prohibit using any combination of letters that spell a word in the dictionary. Some require being updated every 45 days, 60 days, 90 days, 180 days.

Some even require two factor authentication. Some send a text, some send an email. One requires an app that does the two factor authentication automatically.

It is honestly harder to get into these sites legitimately, than just hacking in. What I really love is the most secure of the sites, usually the information being exchanged isn't even confidential or of any value. Could have posted it on Facebook instead.
 
Don't get me started. Try DirectTreasury. The passwords are case independent there but you can't type them. You have to manually peck at each letter with a mouse. Looks like a freaking ADA violation to me (especially after I wrote an inquiry and was told they don't do email support and I must make a VOICE call to inquire).
 
flyingron said:
Don't get me started. Try DirectTreasury.
Click to expand...
It's absolutely ridiculous. It keeps forgetting my computer (same one every time) so it has to email a temporary password to extend the login process.

With my investment account, with a private company, I can use a password manager and have the added security of token (Yubikey). Login is fast and (more) secure. Not a government site, though.
 
I love it when I start out like that with an extremely secure password
and then...by the time I'm finished jumping through all those hoops to meet their criteria I end up with an acceptable by them but MUCH less secure password

idiots
 
The MESP (Michigan Educational Savings Program, college savings for my kids) is my follow up worst password experience...every time I log in, it states "incorrect password". When I attempt to change it, it states "cannot use last password" ! Finally found a work around: apparently it does not like google chrome, but logging in with good ol' windows it will accept the password.
 
upload_2022-8-17_12-10-21.png
 
For this need, I'm a happy user of the password vaults that will generate the random sequence of characters and then remember what was created.

And I have empathy for the OP... I too ran into that and it took a few tries to generate something that fit the criteria.
 
Don't forget that the "new" password cannot be "too close" to your previous 25 passwords or any in the last year, whichever is more.

That is why the majority of my passwords are my favorite songs pounded out on a keyboard...
 
Rich Holt said:
That is why the majority of my passwords are my favorite songs pounded out on a keyboard...
Click to expand...
Now to figure out which sites you use have Billy Joel, Elton John, Freddy Mercury, or Liberace songs.
 
The rules of password creation should be available to consult at the login prompt. I have this problem in all sorts of random places.

If the site does not handle my money or contain my PII/sensitive information about me, then it can F right off with the fort knox presumptions.

MedExpress should allow a weak password with the disclaimer that you agree your medical data will be less than optimally protected. Some people (self included) don't give a flip about HIPAA protection and find it a real nuisance when trying to link up healthcare providers. If someone wants to hack me to learn about ingrown toenail treatment, man, knock yourself out.
 
Country Flier said:
Okay, I'm officially declaring the med express password requirements the most ridiculous password requirements in the galaxy. I go to med express, type in my password, but because I haven't been there in 365 days I'm told I have to change it...so I do. Here are the responses I get (and BTW, they tell you almost none of this before you create a password):
---Must contain a number
ok, I add a number
---Must contain a special character
ok, I add a special character
---Must be more than 12 digits
sigh, ok, add more words to make 12 digits
---Can not repeat characters
long sigh, ok, I'll change the words so no repeating of digits
---Must contain capital letter
#$%^&# I'll add a #$%^& CAPITALs
---Must not have more than one capital
You've got to be frickin kidding??? Is this really necessary?
/rant over
Click to expand...

I could have written this too. Why would anyone go to med express prior to 365 days? And I get a class 2 every year. It takes longer to hammer out a new password than it does to complete the questionnaire.
 
Timbeck2 said:
I could have written this too. Why would anyone go to med express prior to 365 days? And I get a class 2 every year. It takes longer to hammer out a new password than it does to complete the questionnaire.
Click to expand...

6 months for ATPs and first class.

And yes, I hate the MedXpress. I'll have to do that next May, and I'll forget what the password was.
 
EdFred said:
6 months for ATPs and first class.

And yes, I hate the MedXpress. I'll have to do that next May, and I'll forget what the password was.
Click to expand...
It doesn’t matter if you forgot. You only have one extra step when they email you a temporary password. It’s med express not Fort Knox
 
Half Fast said:
View attachment 109747
Click to expand...
that exactly!
but then....
must contain capital letter = Correct horse battery staple
blank spaces are not allowed = Correcthorsebatterystaple
must contain a symbol = Correcthorsebatterystaple$
can't be more than 10 characters..... ugh, for crying out loud....screw it! = Pa$$word
accepted.
 
For more shenanigans PRD where you release stuff for PRIA employment info had all sorts of issues. You needed a myaccess account and the PRD login. Well it was a year later that a new job wanted me to release the info so I go to log in. Password needs reset due to expiring. Well that link kept going to error page so i emailed support they said it was a myaccess issue not them so I contacted them and never heard back so after a week I thought fk it i'll just make a new account.

Turns out you could essentially create unlimited accounts that all go to the same page. So if someone has basic info about you they can log into PRD and release info and you won't even have any indication of it. If you create a myaccess account and use public knowledge of falconkidding you could log in and do all the PRD stuff as me lol. IDK if thats patched yet but 6 months ago was still the case.
 
Brad W said:
that exactly!
but then....
must contain capital letter = Correct horse battery staple
blank spaces are not allowed = Correcthorsebatterystaple
must contain a symbol = Correcthorsebatterystaple$
can't be more than 10 characters..... ugh, for crying out loud....screw it! = Pa$$word
accepted.
Click to expand...

It always grinds my gears when a website has a maximum length on a password. Once it's cryptographically hashed all the passwords are the same length. Oh you're storing it in plain text? So it's security theater? Thanks for pretending to care :rolleyes:
 
Uh… I just start by calling the help desk. Kinda like “honey, does this make me look fat?”

Call the florist, because you’re gonna them anyway. Tell them you got the fat question, they’ll know what to do…..
 
the same password instruction to your ame to login and process the 8500! grrrrrr
 
Half Fast said:
View attachment 109747
Click to expand...

As I understand it, that cartoon may have been in part responsible for a former NIST employee to go on record saying that the crazy password complexity requirements that they came up with were based on no real scientific data. The current guidelines don't require any weird characters, just decent length, and to NOT have to change passwords at short intervals, as that just makes everything worse.

Passwords are a lousy solution. Even worse are the password reset features that ask questions like "what's your favorite kind of cheese". But companies are cheap, so they've continued to use both.
 
My REAL password… mothers maiden name… which allows me to reset EVERYTHING. Ya, complex passwords are really a joke.
 
Brad W said:
that exactly!
but then....
must contain capital letter = Correct horse battery staple
blank spaces are not allowed = Correcthorsebatterystaple
must contain a symbol = Correcthorsebatterystaple$
can't be more than 10 characters..... ugh, for crying out loud....screw it! = Pa$$word
accepted.
Click to expand...
You forgot the number! I bet 1 is used 50% of the time
 
Use a password manager and this becomes a non-issue. You should be using a password manager anyway for thousands of reasons.
 
AKiss20 said:
Use a password manager and this becomes a non-issue. You should be using a password manager anyway for thousands of reasons.
Click to expand...

But then you have exposure of your password manager being hacked.

And if you use multiple devices?

I stopped using treasury direct and their stupid password entry procedure.
 
MooneyDriver78 said:
But then you have exposure of your password manager being hacked.

And if you use multiple devices?

I stopped using treasury direct and their stupid password entry procedure.
Click to expand...
Any reputable password manager is going to be much more secure than the alternative: re-using passwords, using an easily deducible system to help you remember passwords, or using some crappy password manager alternative (like a word document or something). Good password managers are very secure. I’ve used 1Password for years and years, here is much more information on their security model and various white papers on them specifically.

https://1password.com/security/


also any good password manager will be cross platform.

Being afraid of a password manager is like saying a bank vault is less secure to hold your diamonds than a lockbox in a greenhouse. Yes the bank vault has some risks, any system does, but those risks pale in comparison to the risks imposed by basically any other system for handling passwords.

Adding 2FA on top of unique passwords for every site is also a big step up. One should use 2FA, and non-SMS 2FA like TOTP wherever possible, when it is available. Unfortunately the most important institutions, like banks and brokerages, often only support the worst style of 2FA: SMS. Thankfully most e-mail providers offer good 2FA options and securing your email is one of the most important things you can do (because how does every site in the world reset passwords?…email)
 
I'm pretty sure the same ugly contractor who wrote MedExpress wrote the portal you fill out your security clearance applications in. They have the same stench.
 
flyingron said:
I'm pretty sure the same ugly contractor who wrote MedExpress wrote the portal you fill out your security clearance applications in. They have the same stench.
Click to expand...

Just remember, the government stuff is always built by the lowest bidder.
 
So, this might be off-topic but reading this got me wondering.

- When doing these questionnaires, can you find the correct answer by right clicking and selecting "view page source?"

Just finished "20 hours of required training" that included quizzes that let you do that.
 
Old Thread: Hello . There have been no replies in this thread for 365 days.
Content in this thread may no longer be relevant.
Perhaps it would be better to start a new thread instead.
Back
Top