Tech Forum

Today I and a bishopric counselor completing a donation batch were presented with a pop-up that stated our passwords were expiring and we needed to change our passwords. It also stated we only had three more log-ons to make the change.

In the fifteen years I have been using and signing onto MLS I have not seen this. Has anyone else seen this? Is this a new requirement? If so, is the period between password changes anything like the one for the LDS Account workforce?

I've seen this for a while now. I assume we've had this requirement because we were on the finance beta and could process EFT reimbursements via MLS (although I never did it in MLS--I always used LCR). I believe it is requiring that we change passwords every 3 months.

jdlessley wrote:In the fifteen years I have been using and signing onto MLS I have not seen this. Has anyone else seen this? Is this a new requirement? If so, is the period between password changes anything like the one for the LDS Account workforce?

We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

scgallafent wrote:We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.

Mikerowaved wrote:I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.

See page 24 of this NIST publication 800-63B. This hasn't made it's way into the government - yet. I think it's because of the additional password checking the new guidelines require. Maybe once Microsoft adds it to their standard OS (much like the periodic change change and complexity requirements in the Group Policy), then it will get broader use.

Mikerowaved wrote:

scgallafent wrote:We added that functionality to MLS about four years ago, but it was only enabled for units with direct deposit functionality. As that expands, the requirement then applies to your unit.

I'm of the growing opinion that forcing frequent password changes may actually be detrimental to security. Here's one of many such articles supporting this.

While the article has valid points, we discovered several interesting things as we started enabling this. There are a few benefits to forcing password changes on a semi-regular basis in our environment.

scgallafent wrote:While the article has valid points, we discovered several interesting things as we started enabling this. There are a few benefits to forcing password changes on a semi-regular basis in our environment.

It would be interesting to find out.

A few ideas come to mind:
Some units have accounts "by function" instead of "by user". Forcing the change means the prior user is locked out.
Likewise, someone may share their password as a matter of expediency. And by forcing the change, they are locked out.

russellhltn wrote:Some units have accounts "by function" instead of "by user". Forcing the change means the prior user is locked out.
Likewise, someone may share their password as a matter of expediency. And by forcing the change, they are locked out.

Both of those scenarios are potential concerns.

russellhltn wrote:See page 24 of this NIST publication 800-63B.

I think you meant page 14 using the pages numbers, which is the 24th page as a PDF viewer would count them.

Mikerowaved wrote:

russellhltn wrote:See page 24 of this NIST publication 800-63B.

I think you meant page 14 using the pages numbers, which is the 24th page as a PDF viewer would count them.

Yes, page 24 of the PDF.

But from some PMs, I've learned that "shared passwords" have indeed been a problem in some units. So, NIST not withstanding, a requirement to periodically change the passwords will likely continue in certain church apps for the foreseeable future.