The password reset should have taken five minutes.

It took three hours.

The user called at 9:11 a.m. Locked out. Again.

“I didn’t change anything,” she said. “It just stopped working.”

IT reset the password. She logged in. Five minutes later, she was locked out again.

“That’s not normal,” the administrator said.

They checked the logs.

The account was authenticating successfully—from two locations.

One local. One not.

The second location wasn’t familiar. Not overseas. Not dramatic. Just wrong.

The password reset hadn’t fixed the problem.

It had exposed it.

By mid-2006, Microsoft’s messaging around identity had sharpened. Accounts were no longer just credentials. They were access paths. Attack surfaces. Trust boundaries.

Someone had credentials. Valid ones.

The account was disabled immediately.

The user was shaken. Management was unsettled.

“How long has this been happening?” someone asked.

They didn’t know.

That was the answer no one wanted.

They reviewed accounts. Found others that hadn’t logged in for months—yet still existed. Old employees. Contractors. Temporary access never revoked.

No breach was confirmed. No files missing. No damage visible.

But the trust model was broken.

Passwords were reset en masse. Accounts audited. Ownership assigned.

The fix wasn’t technical.

It was procedural.

Because trust that isn’t reviewed becomes assumption.

And assumption always expires.

Published by Kevin Fream

Many people don't understand their current situation and become frustrated in business and life, so I created the Delta Method and wrote the #1 Best-Seller "Change Your Game" - as featured at Harvard and NASDAQ as well as national TV news. Streamline your technology for competitive advantage using vetted IT support and take a divergent approach to personal growth. View all posts by Kevin Fream