They're not resetting your password, they're just turning off the bit you flipped that locked the account. Account locking is intended to prevent dictionary attacks by increasing the amount of time it takes to try a statistically useful number of passwords to the point where it's not worth attacking. In other words, the system is working exactly as designed, *including* the 30-60 minute delay in the human interface, it's *supposed* to be a pain, and there's no reason to worry whether you are who you say you are, at least on your first request to unlock the account. You call back three or four times in a day, though, and they're going to start taking a closer look.
You probably didn't notice this, but the response time for each failed auth attempt probably increased by a significant percentage, another standard ploy for slowing down dictionary attacks.
It's also standard practice to provide minimal information when an auth attempt fails--if you return one message when the account name is wrong, and a different one when the name is right but the password is wrong, that tells the bad guy when he's found a valid login name.
In short, security procedures are not about making it easy for the user, but about making it a pain in the ass for the bad guy.
Not telling you your connection failed because of auth failure is taking that a bit far, though. :)
And not providing you with the number you need to call to reset your account is something they should probably be able and willing to fix. Unless they think that they provided you with that information and it should be easily accessible to you from your home, without access to the intranet. Didja RTF VPN M?
![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
(no subject)
Date: 2007-12-21 04:55 pm (UTC)You probably didn't notice this, but the response time for each failed auth attempt probably increased by a significant percentage, another standard ploy for slowing down dictionary attacks.
It's also standard practice to provide minimal information when an auth attempt fails--if you return one message when the account name is wrong, and a different one when the name is right but the password is wrong, that tells the bad guy when he's found a valid login name.
In short, security procedures are not about making it easy for the user, but about making it a pain in the ass for the bad guy.
Not telling you your connection failed because of auth failure is taking that a bit far, though. :)
And not providing you with the number you need to call to reset your account is something they should probably be able and willing to fix. Unless they think that they provided you with that information and it should be easily accessible to you from your home, without access to the intranet. Didja RTF VPN M?