Lesson 1.5: Password Management

Password management on TaRMS — resets, security questions, 2FA — keeps your account safe. This lesson takes you through the password workflows.

Password management on the SSP is more than a security hygiene issue — it is a compliance issue. A locked-out user cannot file; a missed deadline due to a forgotten password is treated by ZIMRA as the taxpayer’s problem, not the system’s. This lesson covers every state in the password lifecycle: setting at registration, voluntary change, periodic forced change at 90-day expiry, lockout after 5 failed attempts, and the OTP-based recovery flow.

By the end the learner will: (i) be able to change their password proactively; (ii) recover from a forgotten-password situation; (iii) handle the 90-day expiry without surprise; (iv) avoid the lockout by understanding the 5-attempt rule; and (v) understand when an in-person ZIMRA station visit is the only recovery path.

1. Cyber and Data Protection Act, section 7 — data-protection by design

Imposes the obligation to apply appropriate technical and organisational measures. Strong-password policies and periodic rotation are textbook section-7 measures.

2. Section 80 Income Tax Act — false statements

Where a return is filed under a credential that has been compromised, the section 80 risk attaches to whoever holds the credential. Password hygiene is therefore a section 80 risk-management practice.

3. SSP Terms of Use

Bind the user to (i) keep credentials confidential, (ii) report suspected compromise within 24 hours, (iii) accept liability for acts done through their credential.

4. POTRAZ guidance on access controls (2024)

Treats credential-sharing as per se a section 7 breach.

1. Password rules in force

2. Voluntary change workflow

1. Login.
2. Click profile menu (initials, top-right).
3. Choose Change Password.
4. Enter current password; enter new password twice; submit.
5. Logout and re-login with the new password to confirm.

3. Forced change at 90-day expiry

On the day the password expires, the next login forces a change-password screen. The user enters the current password and a new one. If the user has not logged in for many months, the expiry change happens at the first attempted login post-expiry.

4. Forgot-Password recovery

1. Click Forgot Password on the login screen.
2. Enter the registered email.
3. Receive an OTP at the registered email (and SMS if configured).
4. Enter OTP within its 10-minute validity.
5. Set a new password subject to the rules.
6. Login normally.

5. Lockout recovery

Five failed attempts triggers a lockout. The lockout is removed by the same Forgot-Password OTP flow. If the email is also compromised or stale, in-person reset at a ZIMRA station with proof of identity is required.

6. In-person reset criteria

Required when:

• Email on file is no longer accessible.
• OTP is not arriving (typically a misconfigured email or aggressive spam filter).
• 2FA settings are corrupted.
• Account is suspended due to suspected compromise.

Documents to bring: original national ID; latest available TIN Certificate; any document tying the user to the account (recent assessment notice, employer correspondence).

7. Two-factor authentication management

From the profile menu, configure 2FA:

• Email OTP (default): always on for new logins from unrecognised devices.
• SMS OTP (opt-in): add the registered mobile and verify with a one-time SMS.
• Authenticator app (under planned future support): not currently available; check ZIMRA Public Notices.

1. The diary discipline

Best practice: diary password change every 80 days (10-day buffer before 90-day expiry). Set the diary at registration and recur thereafter.

2. The departing-employee handover

When an employee leaves:

• Tax Manager removes them as Assignee (Lesson 3.4)
• the departing employee’s personal SSP account remains theirs
• any client TINs they had access to are revoked by removing their assignee status. The personal account is not transferred.

3. The deadline-morning lockout

Most expensive scenario: forgotten password discovered on a deadline morning when the registered email is also inaccessible. Recovery requires an in-person station visit, often unfeasible in time. Prevention: quarterly Profile audits (Lesson 2.1) confirming the email is current.

4. The shared-workstation issue

In small offices, two practitioners sometimes share a workstation. Each must log in under their own credentials; never share passwords. The browser-stored password from one user must not be used by another.

1. Adventure Communications revisited

The 2021 SA case treated credential-use as binding the credential-holder. Password compromise without prompt notification (within 24 hours per SSP Terms) magnifies exposure.

2. POTRAZ administrative findings

2024 POTRAZ guidance treats credential-sharing as section 7 breach; multiple administrative findings have followed against firms whose audit found shared credentials.

1. Browser-saved old passwords

After change, the browser store may serve the old one. Fix: manually update.

2. Stale email leading to OTP failure

Recovery becomes in-person. Fix: quarterly Profile audit.

3. Reusing the same password across systems

Cross-system breach risk. Fix: password manager.

4. Sharing the password "just for today"

Cyber Act section 16 offence. Fix: use Assignee structure (Lesson 3.4).

5. Letting password expiry happen on deadline morning

Diary 80-day proactive change.

6. Treating SMS OTP as guaranteed

SMS delivery is intermittent. Email OTP is more reliable.

Question 1

State the password rules in force on the SSP.

Question 2

Walk through the Forgot-Password recovery workflow.

Question 3 — Scenario

You attempt login on deadline morning; account is locked after 5 failed attempts; the email on file is your old firm’s email which you no longer access. What is your recovery path?

Question 4

What does the SSP Terms of Use require regarding suspected credential compromise?

Answer 1

Min 8 characters; mixed case, digit, special; 90-day expiry; cannot reuse last 5; 5-attempt lockout; email OTP default 2FA.

Answer 2

Forgot Password link → enter email → receive OTP → enter OTP within 10 minutes → set new password → login.

Answer 3

Forgot-Password OTP fails because the email is inaccessible. Only recovery path: in-person ZIMRA station visit with original national ID and (if available) latest TIN Certificate. Practical timeline: 30–60 minutes at the station, but possibly longer if the deadline is the same day. Contemporaneously document the situation as system-unavailability-equivalent and lodge a help-desk ticket; ZIMRA may, on a discretionary basis, accept a late submission once access is restored. Lesson: quarterly Profile audits prevent this scenario.

Answer 4

Report within 24 hours. Reset password immediately. Audit the History tab (Lesson 2.1) for any unauthorised activity during the suspected window.

☑ Password lifecycle: set → change → expire → reset → recover.

☑ 90-day forced rotation; 5-attempt lockout; OTP-based recovery.

☑ Diary 80-day proactive change.

☑ Stale email = in-person recovery; prevent via quarterly audit.

☑ Sharing passwords is a section 16 Cyber Act offence.

☑ 24-hour breach notification under SSP Terms.

☑ Continuity: Lesson 1.6 covers User Profile and Session Management.

──────────

TaxTami — Zimbabwe Tax Training

www.taxtami.com · info@taxtami.com