Get rid of the expiration on passwords on MyUSPTO -- a good password that isn't reused across multiple platforms can be permanent.
Is this solving a genuine and identifiable problem? No. Is there any conceivable way that a bad guy could get into uspto.gov and, for example, expropriate money from one of the credit cards? NO!!! The only payee is the uspto! Nobody's going to hack into a MyUSPTO account to when he/she can't take money out, and the only possibility is to give money to the PTO! Get real! Passwords have to be coordinated among all legal assistants -- the communication creates a bigger risk than any perceived risk that might be attenuated.
If banks don't use expiring passwords when there's a real risk of stealing real money, and the bank is the party at risk) how can it make sense for expiring passwords on MyUSPTO?
Because of this dumb idea, I now have my MyUSPTO password on a sticky stuck to my computer -- a big breach of security. It's the ONLY password I need to do this with, because USPTO is the only organization that is simultaneously uninformed about actual security practices, and customer-unfriendly, enough to have expiring passwords.
Researchers have generally called into question the merit of password expiration. See: https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf And http://people.scs.carleton.ca/~paulv/papers/expiration-authorcopy.pdf
These papers are cited on an FTC web page titled “Time to rethink mandatory password changes” by a person having the title “Chief Technologist”. See: https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes.
Voting on Ideas
Vote for your favorite ideas by clicking on the up arrow.To undo an upvote, simply click the arrow again. This second click removes your vote.