I'm required to use a Citibank credit card for official, business travel.
Their website is horrible. And their security is risibly oversensitive.
I don't travel much, and it used to be that every time I logged in to pay my bill I would have to call them to get my password reset. Turns out - the guy said, last time this happened - you have to change your password every sixty days and if you don't log in within those sixty days you get locked out.
Okay. Fine. Sigh.
I put a recurring reminder on my calendar to log in and change the password every seven weeks. (Did I mention, you must use IE?) What happened? "Logon credentials are invalid."
So at least I could still reset the password by answering all the questions (first pet's name? billing zip code? last six digits of account?) and then, when I logged in, I had to answer another security question.
So I've changed the reminder to every six weeks. We'll see if that makes a difference.
At some point security hoops become so not worth it, and if you can you abandon the company/bank/website requiring them for one that lets you never change your password. I'm not sure exactly where that point is. But Citi is well past it.