Password Lockouts - Office of Technology Services

skip to section links

Skip to page content

TU Home
About TU
Administration & Finance Division
OTS

About OTS

Services Directory

Support

Computing Accounts & E-mail

Getting Connected

Hardware & Software

Training & Documentation

Website Development

Instructional Support

Application Consulting Services

Information Systems Access

Telecommunications

Rollout & Upgrade Projects

Downloads & Forms

Contact OTS

OFFICE OF TECHNOLOGY SERVICES

Support

Passwords

This page is currently written for faculty/staff, but many of the suggestions apply to students as well. Information specific to student accounts will be provided soon.

Are Bad Password Attempts Locking You Out?

It is an IT industry standard to limit the number of bad password attempts. It helps prevent rapid-fire automated attempts from malicious computers trying to hack into people's accounts. Towson is not alone in having such a rule for bad password attempts.

The Faculty/Staff Help Center has seen a substantial surge in the number of people getting locked out of their account after four consecutive bad password attempts. The most common reason for these lockouts is changing the password on your computer, and not changing the password on your smart phone or tablet type mobile device.

Here is some background to explain how this can happen, how to minimize the chances of it happening to you, and what to do if you get locked out.

Three General Reasons for Lockouts

Stale cached credentials: whenever you change your password, your old password may still be "remembered" (cached) on other computers, tablets, smart phones, websites, or software apps; you need to update these cached credentials with your new password, too
Human error: mistyping, forgetting your password, not noticing a previous user is showing in a login box, etc.
Malicious intent: a computer or person deliberately trying to access your account or trying to lock you out.

How to Get Unlocked

Wait 15 minutes and try again, since a NetID remains locked out for 15 minutes. NetIDs will be locked out if there are 4 or more bad password attempts within a 15-minute period. The bad password attempt counter will reset to zero if you enter a correct password or if it’s more than 15 minutes after your first bad attempt.
In an emergency, if you can't wait that long, have someone with a NetID log on to a computer and open a web browser for you. Go to http://www.towson.edu/accounts or click on Manage NetID (you'll find this link on various TU Web pages, like MyTU).
- Find the Faculty/Staff section on the page.
- Click Reset Forgotten Password; you will be prompted for some secret information only you will know, including the answer to your security question.
- Give yourself a new password. That also resets the four-strikes-you're-out counter back to 0, so you can immediately try again with your new password.
- Use of this tool is logged. Excessive use may trigger an alert to OTS staff.
If neither solution works, then you can call the Faculty/Staff Help Center. Staff are not permitted to unlock accounts for routine lockouts, but they can help if you are not able to use our self-service tools. Positive identification is required to prevent unauthorized access to your account by an imposter.
In a classroom, getting locked out of the instructor’s computer could be a real problem. Be prepared: read our “Solving Classroom Technology Problems: A Guide for Faculty and Support Providers.” Search the document for SCTPG-026 or the words “Account is Locked Out.” Possible solutions and workarounds are provided. Click here for a link to the document.

OTS Can Investigate Repeated Lockout Incidents

All password login attempts are logged centrally by OTS. We of course log NetID and timestamps, but we can also identify the source of the login and may be able to trace it back to a particular computer, device, or point of authentication (e-mail, VPN, etc.).
This information can be helpful to isolate a recurring problem to things you may be able to control—or it may provide evidence to help identify if another person may be locking you accidentally, intentionally, or maliciously.

Common Reasons Accounts Get Locked Out at Towson University

Number one on the list is smart phones (cell phones including Blackberry's, iPhones, Android phones, etc.) that let you read and send e-mail from your Towson University Exchange account. Remember when you first set up your phone, or had someone do it for you? You had to provide your NetID and password so your phone wouldn't bug you each time you check your mail. If you don't update your phone each time you change your password, you'll have the "stale cached credentials problem" and guarantee yourself at least one strike when it tries to connect with the old password. If you keep trying, you'll get locked out quickly. The process to update your password varies by phone manufacture and model.

Solution: Get to know your phone and how to change your e-mail account settings. Have your phone with you when you change your NetID password on a campus computer or at home. Then, as soon as you change it, update your phone settings right away.

Tablets like iPads, Androids, Kindles, Nooks, and others that let you read e-mail have the same issues as smart phones. If you use one of these for your Exchange e-mail, you have to remember to change your password on the tablet each time you change your NetID password.

Solution: After you change your password, also open your e-mail settings on your tablet and change the password associated with your Towson University e-mail account.
Laptops and other mobile devices that have the password saved for tu-secure wireless connections, will also trigger lockouts after your password is changed.

Solution: Bring your laptop and any other mobile devices that use to connect to the university wireless network, to the campus when you are going to change your password. After you change your password, immediately connect the laptop or other device to tu-secure and update your password.
CUCI-Lync, the optional software you can download on your TU office computer and tie into your new VoIP telephone offers some cool features. But the app on your computer requires you to provide your password. Like other cached credentials, whenever you change your NetID password, you have to also change it in CUCI-Lync.

Solution: Close, then re-open Microsoft Communicator/CUCI-Lync on your desktop computer after you change your password. You will be prompted to enter your new password.
Computers in offices, computer labs, and classrooms may be configured to remember the last person who logged in, so if you used one of these, your NetID (username) may already be filled in somewhere on campus. If the NEXT person after you who uses the computer doesn't notice it and types his password, it will count as a "strike" against you, since it's your NetID that's still in the box.

Solution: If you can identify the person who uses the computer after you, then you may be able to mention the problem to them and ask that they be careful and check the NetID first before trying to login.
People with a NetIDs similar to yours (ajones vs. anjones) sometimes forget or mistype—especially new employees. Another person can cause a strike against you if they use your NetID by mistake.

Solution: If you get locked out a lot and suspect this, see if there’s another person with a similar NetID (search the Online Telephone Directory). A courtesy e-mail to the person may help remind them that they should be careful typing in their NetID.
Malicious activity can get you locked out. A mean person, disruptive student, prankster, or colleague with a grudge could intentionally type your NetID and a bogus password four times in a row—and lock you out. This can be serious: in a smart classroom, a student with a laptop, iPad, or other device, could in theory do this and prevent you from logging into the instructor workstation.

Solution: Use the emergency unlock solution if the lockout is interfering with your work or teaching. If it happens frequently, or you suspect foul play, report it to the Faculty/Staff Help Center.
If you use the Remote Desktop Gateway (RDP) to connect to your office computer from home or other areas of campus, you may have checked the option to "save your credentials" when you first set it up. To check to see if your credentials are saved, and to remove the saved credentials follow the steps below:
- Select Start, All Programs, Accessories, and open Remote Desktop Connection.
- Click the General tab.
- If your credentials are saved you will see the following message: "Saved credentials will be used to connect to this computer. You can edit or delete these credentials.
- Click the delete link to remove the saved credentials.

Solution: For security reasons It is best not to save your credentials in the remote desktop client at all. If someone should gain access to your computer they would automatically have access to the remote computer as well.

When using the Virtual Private Network (VPN) off campus to securely access the Towson Network, you must make sure that you disconnect when finished working. If you do not disconnect and then come to campus and change your password, this could result in repeated password lockouts.

Solution: Always log out of the VPN when you’re done. Never leave home for work while the VPN is still connected and active. Logging off your home computer is the best solution, since it protects it from other potential intrusions too.

Administration and Finance - Office of Technology Services