It happened again: a business I deal with that regularly bills me for an ongoing service asked me to update my billing information, because the credit card number I had furnished them expires this month. Fair enough, but when I tried to log onto their site, it rejected my password. I know I was using the correct password, because I use a password manager to keep track of such things.
As I began, this is hardly the first time this has happened. It’s inevitably for a site I don’t visit very often. My guess is that there is some sort of logic bomb coded into many sites, which proclaims a password stale if it is not used regularly enough. This is the case despite there being no password expiration policy (I never got any such email, and as usual the system simply let me “reset” the password using the same old one I’ve been using).
It’s strange behavior. If a password is old enough not to trust, wouldn’t you want to simply expire it, and demand a new one? And if you’re going to expire someone’s password, wouldn’t you want to send a warning email before it expires?