Changes to MyPay Password Requirements

June 12, 2013 | Kate Horrell

The Defense Finance and Accounting Service (DFAS)  is changing the requirements for password strength for MyPay accounts.  Because it is a big change, they are phasing in the MyPay password changes over the next few months.  Be prepared so that you won’t be locked out of your MyPay account.

Who?

Everyone who uses MyPay to access their military pay information will eventually need to change to a “strong” password.  This includes limited access user accounts.

What?

The new password requirements are more stringent than the old password requirements.  In addition, passwords will need to be changed every 60 days.  You may not repeat a password until there have been more than 10 password changes, and each new password must have at least four differences from the previous password.

Requirements include:

  • Must be 15 to 30 characters in length
  • Contain at least two UPPERCASE letters
  • Contain at least two lowercase letters
  • Contain at least two numbers (0-9)
  • Contain at least two of the following special characters:
    • # (pound or number sign)]
    • @ (at sign)
    • $ (dollar sign)
    • = (equal sign)
    • ^ (caret)
    • ! (exclamation)
    • * (asterisk)
    • _ (underline/underscore)
  • Must NOT include any spaces

DFAS has suggestions for creating and remembering a strong password.

When?

The changes are being implented based upon the last two digits of your social security number.  Your old password will expire on this date, and you will be required to create a new “strong” password.

  • 00-14: June 15, 2013
  • 15-29: July 1, 2013
  • 30-44: July 15, 2013
  • 45-59: August 1, 2013
  • 60-74: August 15, 2013
  • 75-89: September 1, 2013
  • 90-99: September 15, 2013

Why?

MyPay account access allows access to a wide range of financial information and the ability to make changes, including depositing account information and allotments.  Therefore, it is essential that access is secure.  Switching to strong password requirements will help protect your financial information and your money.

Intellectually, I know this is a good thing.  However, as a person who struggles with passwords every day, this is just going to be one more hassle in my life.  What do you think?

Comments

  1. Jeff says:

    Between work & home I already have 40+ passwords, several with government or HIPAA type websites, none of them is as stringent as this. All of them have different strength requirements, 'change frequencies', repeat frequencies, etc. There's only so many 'helps' to remember so many passwords. I have to keep a spreadsheet to remember them all, oh and by-the-way THAT also has to have a password. I almost wish I could use a swipe card as my login like the Navy-Marine Corps Intranet does.

  2. Michael says:

    Requireing a password with that stringency will just cause people to write the password down and carry it around, probably in their wallet, just waiting for some thief to grab the wallet and then have complete access to the MyPay account. This is an absolutely ridiculous level of encryption and provides less security than an 8-character password that people actually can remember.

    • Regina says:

      Agree! The level of encryption is absolutely ridiculous. I have not been able to get into my account for months. A waste of my time and big waste of government money!

    • John H. says:

      I can't even get the thing to allow me to type the same password twice. I will no longer be using MyPay for anything. I spent over 40 minutes trying to type the same password twice, but because I had to keep looking at what I wrote down, I'd miss letters or numbers because it's so long. Useless website for retirees.

  3. Col Joe says:
  4. James M. Horak says:

    I wont be using the service anymore unless the govt decides to issue everyone a smart card.

  5. Aric says:
  6. John says:

    I am so glad that I will now be protected from Bradley Manning and Edward Snowden gaining access to my pay inormation.
    I will now have to request a new password every 2 months because that is how often I use MyPay.I stopped making online medical appointments because of the Tricare password fiasco.

    • John says:

      I found out today that the My Pay account info is now used to access TriCare Online. Does help though. Now I only have one password to be frustrated with.

  7. carlos says:

    Way to go MY PAY, you managed to make access to MY PAY MY PROBLEM…

  8. Chief Boring says:

    Groan…Tricare PW requirements are rediculous; now this. Just more hoops to jump through to justify some twidget's excess pay status. With this level of complexity, changing every 60 days is plain stupid. Like the poster said above, I'll end up changing every time I use My Pay, because I seldom access it at less a rate than 60 days. Dumb, dumb, and dumber! Old retired Chief.

    • Regina says:

      MyPay and Tricare should listen to their customers. Yours do not need or want this ridiculous level of encryption!

  9. Master Chief Rob says:
  10. RetSgtMaj says:

    Just like the Government "If it is not broke, fix it until it is"

  11. Jerry says:

    I'm out…

  12. fuzznose says:

    Well, I use an encrypted password generator, which has a single password that I can use to access all of the other 40 million passwords that the gummint requires me to change every few months. At least, that way, when I go look up my password, I don't have to ask for a password reset, and then try to remember another password that I'll have forgotten by the next time I want to check MyPay. LastPass is my friend.

  13. T Neville says:

    Plain and simple…. this sucks!

  14. russellsvocation says:

    Hope they have hired a few more people in the help center. There will be more folks using the "forgot password" button than ever before.
    I'm being silly here, but if all the government agencies could get together under one portal, there would only be one password we would have to remember… HA, silly me.
    In the meantime, I have used a program called RoboForm forever for storing my passwords. Never had a problem with it. There is a limited free version that holds a dozen or so passwords or the paid version which holds unlimited passwords. It will even generate passwords to fit the insanely stringent passwords we now need.

  15. joe guskie says:

    if you musy change passwrd evvery 6 months u r just creating more problems for old soldiers with so many requirements, if you change every 60 days why we can not use 6 or 7 chracters shoul be sufficient

  16. john says:

    This is asinine. I bet mypay use plummets.

    Brilliant bureaucrats….

  17. Paul S. Penczek says:

    Concur with all of the above comments . Have been trying to change my password for over a half hour with no success . While the customer service lady
    was very polite/patient , I am still without a new password . This started out to
    be something useful , but has turned into a nightmare. HELP!

  18. Thomas Austin says:

    My experience was exactly the same as Mr Penczek's (even my call to the customer service lady!). The only difference is I spent over two hours trying to change my password! These password requirements go way beyond the pale. Let's go back to sending out a statement by old-fashioned mail once a year.

  19. Larry Fales says:

    Just won't use the My Pay function anymore. I have 31 passwords to remember so I have a log but I don't Have any passwords that require over 9 items.

  20. anon says:

    Remembering a 15 digit password isn't so hard. Choose eight digits you can remember that have at least one of each required character (number, special, Cap) and type it twice. Or five characters three times, you get the idea.

    • John H says:

      So this is easy?
      ■Must be 15 to 30 characters in length
      ■Contain at least two UPPERCASE letters
      ■Contain at least two lowercase letters
      ■Contain at least two numbers (0-9)
      ■Contain at least two of the following special characters:
      ■# (pound or number sign)]
      ■@ (at sign)
      ■$ (dollar sign)
      ■= (equal sign)
      ■^ (caret)
      ■! (exclamation)
      ■* (asterisk)
      ■_ (underline/underscore)
      ■Must NOT include any spaces

  21. GySgt David Green says:

    The responsibility for the strength of the password should rest with the user. These requirements are excessive, I haven't seen anything like them in the commercial banking or health systems. The old joke about building a mouse to government specifications ends up an elephant seems to apply here. I'll go back to paper.

  22. RetWarrantOfficer says:

    I just got off the phone with DFAS changing my option to receive my statements via snail mail. I've been using the online service for many years and the password / web form security seemed to be pretty secure. I couldn't even use my password management software to login because their web page defeated it. I have given up trying to work it out. It is bad enough to have to use the complexity they are demanding now but to make us change it every 60 days is just unbelievable! I am 60 years old but I work in a computer lab and have many complex passwords as well as manage unix systems using complicated command line commands but this is just too much. I wish the people who come up with this stuff would try it out on their grandparents to see what happens.

    • KateKashman says:

      RetWarrantOfficer, I could not agree more! The only reason that my husband has access to MyPay now is because he is still on active duty and can log on using his CAC. I work with computers all day long and this one is just too annoying!

  23. Karen Ortega says:

    I have tried to access for over a week now…the security is sooooo good…it keeps even me out.

  24. David STARKEY says:

    You are all missing the point. The US Postal Service is in trouble and their Union needs more great passwords like this to close down the internet. Thank of all the new employees DFAS will need to answer phone calls. Not to mention the new building needed to house them, all of the endless grants to study the impact on the retiries, and the list goes on. This is a jobs program that might work.

    As for me, this new password was a clear message to us. STOP USING MYPAY we really don't want to server you!

  25. Mark Scott says:

    I'm getting very frustrated with mypay. I go in and create a password and it works. After inactivity it requires me to log back in. Ok I understand that, so I type in my password which I know is right and it doesn't recognize it and wont let me in. Then you cant request two new passwords within 24 hours which is so dumb. Now I have to wait for 24 hours to pass before I can reset. Just flat out ridiculous.