topic Re: Forced password reset? in Off Topic

Forced password reset?

Bob_Zimmerman — Tue, 27 Oct 2020 03:11:13 GMT

I tried to log in to the forum earlier and was told my password had expired and needed to be reset. I don't think I've ever seen that before. The only sane reason I know of to force users to reset passwords is a suspected breach of an authentication database. NIST SP 800-63B 5.1.1.2: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

I use a randomly-generated password for my User Center account, not shared with anything else, and I don't see it in HaveIBeenPwned, so why the forced reset?

Re: Forced password reset?

_Val_ — Thu, 29 Oct 2020 09:18:21 GMT

We are not aware of any forced reset. Passwords in UserCenter have validity for one year, AFAIK. Also, make sure you are using 2FA.

Re: Forced password reset?

PhoneBoy — Thu, 29 Oct 2020 17:33:11 GMT

The CheckMates team doesn't have visibility into UserCenter accounts beyond the minimum information required to associate it with a community account.
That includes things like password resets.
Account Services would have to be consulted.

Re: Forced password reset?

Bob_Zimmerman — Tue, 03 Nov 2020 19:26:50 GMT

I have a couple of accounts, with one coming up on ten years old. I don't think I've ever had to reset its password. Definitely not since 2015. Very odd.

Re: Forced password reset?

Bob_Zimmerman — Tue, 27 Apr 2021 16:30:34 GMT

I just got a forced reset again. One of my other accounts passed the decade mark, and it's still using the same password.

I'll see what I can find out from Account Services.

Re: Forced password reset?

Bob_Zimmerman — Fri, 24 Nov 2023 15:18:19 GMT

Just got it again.

Passwords are not milk. They do not expire. The fact this is still behaving this way is ridiculous.

I've talked with Account Services. They had no idea what I was talking about and said they have no control over any password expiration. My other User Center accounts still have never had to reset their passwords.

Re: Forced password reset?

PhoneBoy — Mon, 27 Nov 2023 13:39:30 GMT

I'm checking, but I suspect it occurs only with "non-business" emails (Gmail and similar).

Re: Forced password reset?

Bob_Zimmerman — Sun, 09 Jun 2024 17:56:44 GMT

Happened again. Passwords don't expire, and every authority agrees that changes should only be required after a breach, so that must mean the forum is getting breached repeatedly over the span of years.

Or it could mean User Center authentication isn't following the recommendations of every single authority on security, and that this failure to meet minimum standards isn't documented anywhere.

Either possibility ought to be awfully embarrassing.

Re: Forced password reset?

Lesley — Sun, 09 Jun 2024 18:34:23 GMT

Gonna buy me a tin foil hat. Was just doing some searching regarding the issue you have and wanted to read a SK that I had to login.

When I wanted to login: Our records indicate that your password has expired.

Re: Forced password reset?

the_rock — Sun, 09 Jun 2024 20:22:55 GMT

I got the same, but assumed it was the time, as I did not have to change it in how knows how long. Not sure, but maybe someone from CP can confirm if this is indeed expected, ie happens every 6 months, 1 year?

Andy

Re: Forced password reset?

PhoneBoy — Mon, 10 Jun 2024 15:06:47 GMT

We now require all UserCenter/PartnerMap accounts to have their password changed periodically.

Re: Forced password reset?

the_rock — Mon, 10 Jun 2024 15:09:04 GMT

Any idea how often? Every 3, 6 months? 1 year? Something else?

Re: Forced password reset?

PhoneBoy — Mon, 10 Jun 2024 18:32:15 GMT

6 months.

Re: Forced password reset?

the_rock — Mon, 10 Jun 2024 18:36:47 GMT

Thanks for confirming.

Re: Forced password reset?

Bob_Zimmerman — Thu, 29 Aug 2024 15:36:48 GMT

The User Center is becoming shockingly bad.

First, password expiration (which, again, every authority agrees should never be done) with no announcement and no warning. No way to turn it off.

Then you have to set up a TOTP token, again with no announcement. No way to turn it off, and you have to set it up right when you're trying to log in to actually do something. Like, say, when you're trying to view an SK to deal with an outage.

Then random CAPTCHAs, again with no announcement. And again, no way to turn off this garbage.

And now business email addresses are rolled into the password expiration, AGAIN with no announcement, and AGAIN with no way to configure it.

Who is in charge of this mess and why are they in charge of anything? You can't just go changing requirements without any notice!

Re: Forced password reset?

the_rock — Thu, 29 Aug 2024 16:08:45 GMT

I have not had to reset password in few months now, but lets see next time I do, if there are any issues. As far as CAPTCHAs, have not seen those in almost a year now, maybe just luck, no clue : - )

Andy

Re: Forced password reset?

PhoneBoy — Thu, 29 Aug 2024 18:51:39 GMT

I actually posted an announcement of this back in May: https://community.checkpoint.com/t5/General-Topics/UserCenter-PartnerMap-Accounts-to-Require-MFA-5-May-2024/m-p/212845
Granted, this doesn't help folks who didn't see it in CheckMates.

Re: Forced password reset?

Bob_Zimmerman — Mon, 10 Nov 2025 17:03:46 GMT

Just happened again. For a security-focused company to still be following worst practices like this after five years should be deeply embarrassing.

Re: Forced password reset?

the_rock — Mon, 10 Nov 2025 17:08:12 GMT

I could be mistaken, but I believe @PhoneBoy confirmed previously it forces you now every 6 months to reset the password. If that is the case, as far as Im concerned, thats totally fine.

Re: Forced password reset?

Bob_Zimmerman — Mon, 10 Nov 2025 17:16:18 GMT

NIST SP 800-63B version 4, section 3.1.1.2 (emphasis mine):

The following requirements apply to passwords.

Verifiers and CSPs SHALL require passwords that are used as a single-factor authentication mechanism to be a minimum of 15 characters in length. Verifiers and CSPs MAY allow passwords that are only used as part of multi-factor authentication processes to be shorter but SHALL require them to be a minimum of eight characters in length.

Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.

Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.

Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a single character when evaluating password length.

Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.

Verifiers and CSPs SHALL NOT require subscribers to change passwords periodically. However, verifiers SHALL force a change if there is evidence that the authenticator has been compromised.

Verifiers and CSPs SHALL NOT permit the subscriber to store a hint (e.g., a reminder of how the password was created) that is accessible to an unauthenticated claimant.

Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.

Verifiers SHALL request the password to be provided in full (not a subset of it) and SHALL verify the entire submitted password (e.g., not truncate it).