Forced password reset?

Bob_Zimmerman · ‎2020-10-26

I tried to log in to the forum earlier and was told my password had expired and needed to be reset. I don't think I've ever seen that before. The only sane reason I know of to force users to reset passwords is a suspected breach of an authentication database. NIST SP 800-63B 5.1.1.2: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

I use a randomly-generated password for my User Center account, not shared with anything else, and I don't see it in HaveIBeenPwned, so why the forced reset?

_Val_ · ‎2020-10-29

We are not aware of any forced reset. Passwords in UserCenter have validity for one year, AFAIK. Also, make sure you are using 2FA.

Bob_Zimmerman · ‎2020-11-03

I have a couple of accounts, with one coming up on ten years old. I don't think I've ever had to reset its password. Definitely not since 2015. Very odd.

Bob_Zimmerman · ‎2021-04-27

I just got a forced reset again. One of my other accounts passed the decade mark, and it's still using the same password.

I'll see what I can find out from Account Services.

PhoneBoy · ‎2020-10-29

The CheckMates team doesn't have visibility into UserCenter accounts beyond the minimum information required to associate it with a community account.
That includes things like password resets.
Account Services would have to be consulted.

Bob_Zimmerman · ‎2023-11-24

Just got it again.

Passwords are not milk. They do not expire. The fact this is still behaving this way is ridiculous.

I've talked with Account Services. They had no idea what I was talking about and said they have no control over any password expiration. My other User Center accounts still have never had to reset their passwords.

PhoneBoy · ‎2023-11-27

I'm checking, but I suspect it occurs only with "non-business" emails (Gmail and similar).

Bob_Zimmerman

Happened again. Passwords don't expire, and every authority agrees that changes should only be required after a breach, so that must mean the forum is getting breached repeatedly over the span of years.

Or it could mean User Center authentication isn't following the recommendations of every single authority on security, and that this failure to meet minimum standards isn't documented anywhere.

Either possibility ought to be awfully embarrassing.

Lesley

Gonna buy me a tin foil hat. Was just doing some searching regarding the issue you have and wanted to read a SK that I had to login.

When I wanted to login: Our records indicate that your password has expired.

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock

I got the same, but assumed it was the time, as I did not have to change it in how knows how long. Not sure, but maybe someone from CP can confirm if this is indeed expected, ie happens every 6 months, 1 year?

Andy

PhoneBoy

We now require all UserCenter/PartnerMap accounts to have their password changed periodically.

the_rock

Any idea how often? Every 3, 6 months? 1 year? Something else?

PhoneBoy

6 months.

the_rock

Thanks for confirming.

Are you a member of CheckMates?

Forced password reset?