Users password was reset but old password still works

This question has suggested answer(s) This question has suggested answer(s)
We have reset the password for a user who was being terminated to lock them out from access of the account, while still allowing another user to login via OWA. Now both the new password and previous password still allow access to the account. We are well over the tombstone allowance of 15 minutes. It's been hours and the account is still accessible. This is a major problem Microsoft.
All Replies
  • Hi  Customer,

    Please refer to the following link about resetting passwords for users:

    http://office.microsoft.com/en-us/office365-suite-help/reset-a-user-s-password-HA102816058.aspx?CTT=1

    I’d like to confirm if you did the steps above and received the temporary password. If not, could you  let me know which steps you have done?

    And if possible,  please provide the answers to the questions below. It would help us verify the issue more clearly.

    1)      Which plan are you using, small business or Enterprise?
    2)      Does the issue occur to one user or all users?
    3)      Can the end user reset his password by using Office 365 settings?
    4)      What kind of environment did your users deploy, SSO, ADFS or pure cloud?
    5)       Have they enabled the MFA(Multi-Factor Authentication)?

    If there is any update, feel free to let me know.

    Regards,
    Rachel

     

    0 out of 2 people found this post helpful.

  • We are experiencing the same issue. I have tried resetting passwords as admin or as the user and the old account passwords continue to work in addition to the new. What gives Microsoft?

    As True Investments states, it's well beyond 15 minutes and almost 24 hours for some users.

    Furthermore this isn't just a desktop client issue. You can literally type either password to gain access to the accounts in question. This is so far from secure and the fact that I see other threads mentioning this issue going back to mid-2013 makes me very nervous.

    We are running a pure cloud instance of Office 365 - no onsite AD, etc.

  • We had a security issue today where we needed to change a couple passwords. We changed them but the user could continue to use the old one (and the new one worked as well). It's been about 20 minutes so far.

  • True Investments,

    I have experienced this problem as well.  What web browser where you using?  Whatever it was, try a different one and see if you can log on through the OWA.  If not clear out the cookies, history, saved passwords, the whole lot.  Then close the browser and reopen it and try again.  Let me know if this works or not.

    David Hames ACS, A+, N+

  • Oh, I forgot to mention to clear the browsers cookies, history, etc. with the browser that was giving you the issue.

    David

  • The way I know that something isn't right is the user's laptops have NOT asked for the new password (and the laptop in question is not part of any domain). So, it should be prompting the user for a new password. Same goes for their iphones. So right now, the users I'm working with have 2 working passwords. Checked from 2 different computers and used Chrome incognito with all cookies/cache cleared.

    This might be helpful if anyone is reading this:

    I originally logged in as the user and reset the password.

    I logged out and back in with the new password and assumed all was good.

    Then I realized both still worked (mainly because of Outlook not asking for the new password).

    Then I went in as the admin and requested a password reset, I went through that process.

    The temp password that 365 assigned no longer works (which makes sense) BUT, the original password and the newly reset password still both work.

    Any ideas?

    This is pretty scary if you had to terminate an employee and couldn't lock them out of the account!! (in the event you didn't want to delete the account)

  • Ok, on the two laptops what version of outlook are they using and how is the office365 email account setup?  Is it POP, IMAP, or Exchange auto discover?

    David

  • Outlook 2010. Exchange. Autodiscover.

    In Outlook, I went into the account and hit "repair" to see if it would prompt me for a new password but it hasn't.

    Is there ANY reason why I would ever be able to use multiple passwords? I can login right now using either password - I guess I just don't understand how this is even possible.

  • As one more test, I added the email account to my "test" iPhone using the old password (no problems). Then deleted it and set it up with the new password (no problems).  I don't get it ;-)

  • Ok, This is what I have been having to do, because as we speak I am reconfiguring 42 users outlook profiles on a domain with the newly reset password.  Some of them POP, some of the Exchange auto.  The Exchange Autos, since its an Office 365 account and all emails are automatically backup to the cloud, so I do not have to worry about losing emails, I had to blow away the current profile by going to Start, Control Panel (make sure its on large or small icons not category), Mail (32-Bit), Show Profiles, Remove.  Then close out of that, reopen Outlook, It will ask for a new profile name.  Enter in Outlook, and then reconfigure the Exchange email account with the Display Name, Email Address, and the new password twice.  Once the account has finished being configured and you see the inbox emails, close outlook and reopen it again and it should prompt you for the password again.  Try entering in the old password and see if it takes, it shouldn't.  Then it should prompt again for the password, type in the new one and make sure to check the remember my password check box, and you should be golden.

    David

  • The phones I have not figured out yet, still working on it.  

    David

  • are you suggesting that changing the profile on the computer will fix the issue of them being able to just login using OWA? Let's just act like the user only uses OWA. What would we do then?

  • What web browser are you using??

    David

  • Ok, I think I have a pretty good hypothesis for this result of the Old password still being able to be used.

    Since, the Office365 is run from the cloud and not from some local server in your network closet, then when you do a password reset it takes sometime for the old password to be taken out of the ballgame.  I think it works just like an MX record or Domain update for an email server, you know how it takes about 72 hours for it to populate through the entire internet so when someone from the outside sends you an email it still has a chance to go to your old email instead of the new one you just updated.  So, in essence when you update a password on a cloud hosted email server, in theory, it would take almost the same amount of time to update through the internet because you can access the email from any web browser that is hooked up to the internet.  

    I could be wrong because this is a theory.  I would like someone from Office365 staff to confirm this.

    David

  • Same results in IE11, Chrome and FF. 4 different computers. I assure everyone it is NOT a cache issue.