Confusion overload
I really am a Grumpy Old Dude in IT.
As I’ve hinted at before, I implemented an in-house developed VPN system with user authentication for my day job. Some of the support requests we get are a bit confusing.
Password expiring
One of the things the system does is present a notification on the user interface after logging in if the user’s password is going to expire in a couple of days. Because there’s a history of this being “missed” (ignored), this notification has evolved into a “big scary red box” with clear text in it explaining the password is going to expire soon and how to change the password so it doesn’t expire.
We’ve seen a number of support requests along the lines of “I got this big scary red box! What am I supposed to do?”
We’ve even seen “I got this big scary red box and asked one of the Desktop Support agents what I’m supposed to do, and they told me to log a support request with IT Security!”
See the confusion/frustration? When even the Desktop Support people see a clear message on the user’s screen saying (literally) “Your password will be expiring in a couple of days, click here to set a new password” and say “Ask IT Security to reset your password for you”??????
But but but… I don’t know my password
Yes, a follow-up to the above. So we tell the user “Just click on where it says to click to set a new password” and the response that comes back is “But I don’t know what my old password is”.
Dude, you had to log in to the VPN with your old password a couple of seconds ago to even see that message that your password is expiring. And don’t tell me your browser fills in the password automatically because the IT Acceptable Use Policy you have to read (and sign that you have read it) at least once every 12 months specifically says you are not allowed to store passwords in the browser (we strongly advise good password managers).
So how do I change my password?
Last password related one for now… So the user actually clicks the link to the password change form… And then gets confused.
Now this password change form is in a very commonly used format, there’s a field to enter the old passwords and two fields to enter the new password twice (to avoid mistakes). Very simple little form type that we’ve all seen hundreds of times before. If any errors are made, they get a very clear “big scary red box” stating very clearly what error they made in filling in the form (things like “oops, the old password you typed wasn’t right” or “oops, there’s a difference between the two times you entered the new password” or even “oops, you can’t have a password that short or that easy to guess”), if they fill all the stuff in right and the password change succeeds, they get a “big friendy green box” saying “congratulations, your password has been updated”.
But no… Not my users… They see a form that has the very basic layout of many password change forms they have seen before and don’t understand what they are supposed to do now and rather submit a support request asking IT Security to change their VPN password.
This takes a couple forms. There’s the old “It keeps giving me a big scary red box when I fill in the first two fields on the form and leave the third one blank”, or the “But I don’t know my old password” mentioned above, or the “But I put exactly the same text in the two New Password fields, I remember becaused I typed 123 in both”. Not to mention the old “I got the big friendly green box, but I can’t remember what I put in the New Password fields, or I can’t now log in with my old password”.
ARGH!
Your VPN is broken, I activated it in Wireguard and I can’t see stuff
So the way the VPN works is that the Wiregard tunnel connects the device and then the user logs in to the authentication web interface to be able to use the stuff sitting behind the VPN. This authentication web interface can only be accessed if the Wireguard tunnel is established.
You’d be surprised how often a user, even some who log in to the VPN every day, will somehow just completely block out the knowledge that they have to actually log on to the authentication web interface to use the VPN, just turning the tunnel on in Wireguard is not enugh.
Your VPN is broken, I can’t see the login form
Quite often we get support requests along the lines of “The VPN is broken, the authentication site doesn’t open”. In 90% of cases, we find that the user never activated the Wireguard tunnel.
In some rare cases, this is actually an issue with Wireguard thinking the tunnel is active, but it isn’t actually exchanging network packets with the peer. Usually this is fixed by either disabling and enabling the tunnel, in rarer cases it is fixed by rebooting the user’s device, in extremely rare cases a support request is needed because we actually have to delete the tunnel from the user’s device and create a new one with a new key pair.
So you’d think a user seeing they can’t see the authentication interface would think “oops, let me check if the tunnel is active in Wireguard, and maybe just reboot my device because IT are always saying ‘have you turned it off and on again’”… Yeahhhh no.
Your VPN is broken, I went to lunch and now I can’t work
So one of the features of the system is that it will automatically disable a user’s sesson if there is no traffic from their device for 5 minutes (yes, we do have a keep-alive set in Wireguard in case the user just doesn’t need to access stuff behind the VPN for more than 5 minutes) and they have to log in to the authentication web interface again.
So lunch time comes along, user closes the lid on their laptop, laptop goes to sleep and turns off stuff like the WiFi interface or Ethernet interface to save power. User comes back from lunch, opens the laptop, and logs a support request saying the VPN is broken because the knowledge that they have to log in to the VPN again if they were offline for 5 minutes has been blocked out from memory.
A related one here is “Your VPN is broken, I logged in yesterday and now I can’t work”. This is because we disable the user’s sesion if it’s been active for over 12 hours.