The Samsung Galaxy S4 comes in a variety of model numbers here in the US. There is a version for AT&T (model SGH-I337), one for T-Mobile (model SGH-M919), and more for other carriers that sell the S4. Generally, these phones are locked to their original service providers, though one can purchase an unlocked version of the S4 (GT-I9500) that is sold on Amazon, eBay, and other online merchants.
AT&T and T-Mobile will both provide you an unlock code to unfetter the phone from their networks IF one pays full retail price for it (currently $640 or above). If you want to be able to unlock and use the phone on both AT&T's and T-Mobile's networks, you are better-off purchasing the T-Mobile model outright and getting it unlocked. It will (according to specs published on Samsung's website) work on BOTH networks, adding some amount of flexibility to switch carriers at will.
Another advantage of paying full-price for the phone is that you are not tied into a contract …
I have experienced this firsthand that, when asked to change passwords frequently, users resort to using past passwords with minor changes or additions to it. It is difficult to remember passwords, so they may add a number to an existing password. So, for example, if my password is sTudENt, when I am asked to change the password, I change it to sTudENt1. The next time around, I may change it to sTudENt2, next to sTudENt3, and so on. I have been preaching for years that requiring users to change passwords frequently serves little purpose from a security standpoint. Now, Microsoft says it, too.