This has been fraught for a long time. I wasn't able to do it with Firefox or Chrome, but it used to let me do it with Opera. I have no idea why. But yesterday, when I went to use it, it told me that my current password will expire in three days, would I like to change it?
Yes, I would, I don't like leaving things until it's too late.
So I clicked on the link. It wanted my old password, and my new password twice, and then I clicked on Submit. Nothing happened. And the password hadn't changed. I tried it with Firefox, then with Chrome. No joy. Then I tried it on another computer. Still no luck.
So I phoned for tech support 0333 202 7930. The nice lady suggested that I email to email@example.com with a screen shot. So I did that.
I got a reply very quickly. They suggested that I type the new password instead of copy-pasting it. Why did I copy-paste it? Because their password has to be at least one capital letter, at least one digit, at least one special character and at least one lowercase. And at least 12 characters long. And changed every month. Do they seriously think that I'll be able to remember that? So of course I use a password manager. They also made another suggestion, but that didn't help.
So I tried typing this long and tedious password instead of copy-pasting. And it almost worked! This time, their page acknowledged that the password was strong (it hadn't said anything about it before) and that the second time I typed the new password, it was the same as the first. Result! But when I clicked on Submit, again it didn't change the password.
So I did another tech support call.
This time she suggested that I ask for a temporary password. The problem with that, I thought, will be that this temporary password gives me one login. So if I try to change the password and it still won't change, that's it, and I'm left with requesting a temporary password each time I want to use their system.
Still. I might as well try it, my existing password will be nullified soon anyway. So I did.
And it let me change my password.
Because the password change page after a temporary password, is different from the normal password change page.
So what in future? Well, if I pretend that I've lost my password, then it'll email me a new temporary pssword, and I'll be able to change it from there.
What a performance!
And the cream of the joke? Their idiotic system is what forces everyone to use a password manager, which for many people will be "write it on a post-it note" which is far less secure than just have a fairly simple password. And if you want it to be secure?
USE TWO FACTOR AUTHENTICATION!!!
That's what Barclays Banking online uses, with a little calculator-like gizmo that gives me a new code each time. And even HMRC use 2FA, via my mobile phone.