Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Bob_Zimmerman
Authority
Authority

Forced password reset?

I tried to log in to the forum earlier and was told my password had expired and needed to be reset. I don't think I've ever seen that before. The only sane reason I know of to force users to reset passwords is a suspected breach of an authentication database. NIST SP 800-63B 5.1.1.2: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

I use a randomly-generated password for my User Center account, not shared with anything else, and I don't see it in HaveIBeenPwned, so why the forced reset?

0 Kudos
16 Replies
_Val_
Admin
Admin

We are not aware of any forced reset. Passwords in UserCenter have validity for one year, AFAIK. Also, make sure you are using 2FA.

0 Kudos
Bob_Zimmerman
Authority
Authority

I have a couple of accounts, with one coming up on ten years old. I don't think I've ever had to reset its password. Definitely not since 2015. Very odd.

0 Kudos
Bob_Zimmerman
Authority
Authority

I just got a forced reset again. One of my other accounts passed the decade mark, and it's still using the same password.

I'll see what I can find out from Account Services.

0 Kudos
PhoneBoy
Admin
Admin

The CheckMates team doesn't have visibility into UserCenter accounts beyond the minimum information required to associate it with a community account.
That includes things like password resets.
Account Services would have to be consulted. 

0 Kudos
Bob_Zimmerman
Authority
Authority

Just got it again.

Screenshot 2023-11-24 at 08.45.10.png

Passwords are not milk. They do not expire. The fact this is still behaving this way is ridiculous.

I've talked with Account Services. They had no idea what I was talking about and said they have no control over any password expiration. My other User Center accounts still have never had to reset their passwords.

0 Kudos
PhoneBoy
Admin
Admin

I'm checking, but I suspect it occurs only with "non-business" emails (Gmail and similar). 

0 Kudos
Bob_Zimmerman
Authority
Authority

Happened again. Passwords don't expire, and every authority agrees that changes should only be required after a breach, so that must mean the forum is getting breached repeatedly over the span of years.

Or it could mean User Center authentication isn't following the recommendations of every single authority on security, and that this failure to meet minimum standards isn't documented anywhere.

Either possibility ought to be awfully embarrassing.

0 Kudos
Lesley
Leader Leader
Leader

Gonna buy me a tin foil hat. Was just doing some searching regarding the issue you have and wanted to read a SK that I had to login.

When I wanted to login: Our records indicate that your password has expired. 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
the_rock
Legend
Legend

I got the same, but assumed it was the time, as I did not have to change it in how knows how long. Not sure, but maybe someone from CP can confirm if this is indeed expected, ie happens every 6 months, 1 year?

Andy

0 Kudos
PhoneBoy
Admin
Admin

We now require all UserCenter/PartnerMap accounts to have their password changed periodically.

0 Kudos
the_rock
Legend
Legend

Any idea how often? Every 3, 6 months? 1 year? Something else?

0 Kudos
PhoneBoy
Admin
Admin

6 months.

the_rock
Legend
Legend

Thanks for confirming.

0 Kudos
Bob_Zimmerman
Authority
Authority

The User Center is becoming shockingly bad.

First, password expiration (which, again, every authority agrees should never be done) with no announcement and no warning. No way to turn it off.

Then you have to set up a TOTP token, again with no announcement. No way to turn it off, and you have to set it up right when you're trying to log in to actually do something. Like, say, when you're trying to view an SK to deal with an outage.

Then random CAPTCHAs, again with no announcement. And again, no way to turn off this garbage.

And now business email addresses are rolled into the password expiration, AGAIN with no announcement, and AGAIN with no way to configure it.

Who is in charge of this mess and why are they in charge of anything? You can't just go changing requirements without any notice!

the_rock
Legend
Legend

I have not had to reset password in few months now, but lets see next time I do, if there are any issues. As far as CAPTCHAs, have not seen those in almost a year now, maybe just luck, no clue : - )

Andy

0 Kudos
PhoneBoy
Admin
Admin

I actually posted an announcement of this back in May: https://community.checkpoint.com/t5/General-Topics/UserCenter-PartnerMap-Accounts-to-Require-MFA-5-M...
Granted, this doesn't help folks who didn't see it in CheckMates.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events