Forced password reset?

Bob_Zimmerman · ‎2020-10-26

I tried to log in to the forum earlier and was told my password had expired and needed to be reset. I don't think I've ever seen that before. The only sane reason I know of to force users to reset passwords is a suspected breach of an authentication database. NIST SP 800-63B 5.1.1.2: "Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."

I use a randomly-generated password for my User Center account, not shared with anything else, and I don't see it in HaveIBeenPwned, so why the forced reset?

_Val_ · ‎2020-10-29

We are not aware of any forced reset. Passwords in UserCenter have validity for one year, AFAIK. Also, make sure you are using 2FA.

Bob_Zimmerman · ‎2020-11-03

I have a couple of accounts, with one coming up on ten years old. I don't think I've ever had to reset its password. Definitely not since 2015. Very odd.

Bob_Zimmerman · ‎2021-04-27

I just got a forced reset again. One of my other accounts passed the decade mark, and it's still using the same password.

I'll see what I can find out from Account Services.

PhoneBoy · ‎2020-10-29

The CheckMates team doesn't have visibility into UserCenter accounts beyond the minimum information required to associate it with a community account.
That includes things like password resets.
Account Services would have to be consulted.

Bob_Zimmerman · ‎2023-11-24

Just got it again.

Passwords are not milk. They do not expire. The fact this is still behaving this way is ridiculous.

I've talked with Account Services. They had no idea what I was talking about and said they have no control over any password expiration. My other User Center accounts still have never had to reset their passwords.

PhoneBoy · ‎2023-11-27

I'm checking, but I suspect it occurs only with "non-business" emails (Gmail and similar).

Bob_Zimmerman · ‎2024-06-09

Happened again. Passwords don't expire, and every authority agrees that changes should only be required after a breach, so that must mean the forum is getting breached repeatedly over the span of years.

Or it could mean User Center authentication isn't following the recommendations of every single authority on security, and that this failure to meet minimum standards isn't documented anywhere.

Either possibility ought to be awfully embarrassing.

Lesley · ‎2024-06-09

Gonna buy me a tin foil hat. Was just doing some searching regarding the issue you have and wanted to read a SK that I had to login.

When I wanted to login: Our records indicate that your password has expired.

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-06-09

I got the same, but assumed it was the time, as I did not have to change it in how knows how long. Not sure, but maybe someone from CP can confirm if this is indeed expected, ie happens every 6 months, 1 year?

Andy

PhoneBoy · ‎2024-06-10

We now require all UserCenter/PartnerMap accounts to have their password changed periodically.

the_rock · ‎2024-06-10

Any idea how often? Every 3, 6 months? 1 year? Something else?

PhoneBoy · ‎2024-06-10

6 months.

the_rock · ‎2024-06-10

Thanks for confirming.

Bob_Zimmerman · ‎2024-08-29

The User Center is becoming shockingly bad.

First, password expiration (which, again, every authority agrees should never be done) with no announcement and no warning. No way to turn it off.

Then you have to set up a TOTP token, again with no announcement. No way to turn it off, and you have to set it up right when you're trying to log in to actually do something. Like, say, when you're trying to view an SK to deal with an outage.

Then random CAPTCHAs, again with no announcement. And again, no way to turn off this garbage.

And now business email addresses are rolled into the password expiration, AGAIN with no announcement, and AGAIN with no way to configure it.

Who is in charge of this mess and why are they in charge of anything? You can't just go changing requirements without any notice!

the_rock · ‎2024-08-29

I have not had to reset password in few months now, but lets see next time I do, if there are any issues. As far as CAPTCHAs, have not seen those in almost a year now, maybe just luck, no clue : - )

Andy

PhoneBoy · ‎2024-08-29

I actually posted an announcement of this back in May: https://community.checkpoint.com/t5/General-Topics/UserCenter-PartnerMap-Accounts-to-Require-MFA-5-M...
Granted, this doesn't help folks who didn't see it in CheckMates.

Are you a member of CheckMates?

Forced password reset?