It's a basic issue, but one that is extremely annoying. Jon Honeyball recounts the difficulty he experienced when his Office 365 password timed-out.
I thought it a good idea to keep you up to date on my efforts to move all of my day-to-day computing activities into Office 365, Microsoft’s cloud-based Exchange Server environment.
Despite our best efforts, all of our attempts to bring the SharePoint Server capabilities into daily use have failed, but that’s mostly due to the fact that I was out of the country for the best part of a month, so I couldn’t apply the necessary degree of concentration to setting it up. It’s my intention to use SharePoint as the public-facing website for my firm, but getting this up and running requires navigation of some rather challenging mazes within the Office 365 management pages. It will have to wait for some slack time, since real paying work must always come first.
I’ve had one moment of extreme annoyance with Office 365, however. It seems that the default time-out on an account password is set to 90 days, at which point Office 365 cuts you off until you’ve reset it. This may not matter so much if you’re doing the proper thing and connecting via Outlook on Windows, but if you’re calling in via a mobile phone, a tablet or any other non-Microsoft device, using either Exchange protocol or IMAP/SMTP/POP3, then the first you’ll hear about this problem is when you simply can’t log in. To fix the problem, you need to log in to the website to change the password, which would be fine if you could log in to the website – I found myself spending the best part of a day going around in circles, and ending up screaming at the server via its web browser.
Basically, we’ve moved on from an era where a single email client connected to a mail server, and did so whenever you hit the “get new mail” button. Today, we have any number of mobile devices that might all be logged in at the same time to the same mail server: I carry an iPhone 4S, a Nokia Lumia 800 phone – and, at that time, also had three different desktop devices all logged into Office 365. Worse still, we’re now so used to this situation that we’ve forgotten what’s actually going on here, so almost as soon as I’d changed the password on one device, I noticed that the next one couldn’t log in. Even entering the new password wouldn’t necessarily help, because Office 365 helpfully locks out the account if too many wrong login attempts are made. You can end up in a cycle of trying to reset one password, then hopping over to the next device before the system locks you out again.
The cloud: accessing your data anywhere, can also pose the occassional access issue
The only workable solution is to shut down every connected client and to systematically reset the password going from one device to the next. What doesn’t help is that none of this is actually documented anywhere on the main management screens – there’s no “this account is locked because…” information panel to show an administrator what’s going on, nor is there any way to reset the password as an admin. By that, I mean the administrator can only request that a new dummy password be generated; that user must then log in with this dummy password and then immediately set their new password. Again, this effort can be foiled by a fast-checking email client that jumps in ahead and makes matters worse.
You’d hope that there would be a comprehensive package of password-handling tools inside Office 365, especially for the hard-pressed administrators in small businesses. If you’re a large organisation, then you’re pretty much used to issuing dummy passwords and having users log in, but in smaller businesses passwords are often set by the sysadmin and then told verbally, in person, to the user. That might not be quite so secure, but it’s often more than enough in a pragmatic working environment. This will be especially true of a green-field Office installation where there’s no on-site Active Directory deployment being synchronised with the cloud service.
Despite it being widely recommended as good security practice, I fear that setting this arbitrary 90-day password time-out is a little too rigid for such small organisations, or for those who use a wide range of mobile devices including Android, iOS and so forth.