Resetting passwords at Regular Intervals

Jason5

Adherent
Joined
Jun 18, 2013
Messages
333
Do you initiate a password reset at regular intervals or make the users use the same password as long as they stay in the forum.

What do you think is an ideal time to ask the users to reset their passwords?
 

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,490
The UK National Cyber Security Center currently advises against this.

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

Don't enforce regular password expiry
Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because:

  • the user is likely to choose new passwords that are only minor variations of the old
  • stolen passwords are generally exploited immediately
  • resetting the password gives you no information about whether a compromise has occurred
  • an attacker with access to the account will probably also receive the request to reset the password
  • if compromised via insecure storage, the attacker will be able to find the new password in the same place
Instead of forcing expiry, you should counter the illicit use of compromised passwords by:

  • ensuring an effective movers/leavers process is in place
  • automatically locking out inactive accounts
  • monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
  • encouraging users to report when something is suspicious
You can also mitigate the risk of compromised accounts by using MFA, which will make a compromised password less useful to an attacker. Some MFA methods (such as SMS or email notifications) can even warn the user that they have been compromised, as they will receive a code when they did not request it. If you are using this form of MFA, you should encourage users to report this behaviour through your training.

Note: Users must change their passwords when you know (or suspect) it has been compromised.
 
Last edited:

R0binHood

Habitué
Joined
Nov 23, 2011
Messages
1,490
The National Institute of Standard and Technology in the US also recommends the same.

https://pages.nist.gov/800-63-FAQ/#q-b5

Q-B5: Is password expiration no longer recommended?

A-B5: SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.
 

Jason5

Adherent
Joined
Jun 18, 2013
Messages
333
Omg i didn't know something like this exists. Thanks for sharing the valuable information.
 

MagicalAzareal

Magical Developer
Joined
Apr 25, 2019
Messages
758
They also use really weak passwords if they know you can see their password. Always hash ;)

monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
You might want to make this optional as there are some users who travel a lot.

For IPs, this might change if they're using some sort of VPN, mobile network, etc.
For cookies, someone might be using something like incognito mode for privacy.

The best thing to do is to encourage people to use 2FA. High security contexts may also require alerts, but convienience is a big thing for forums whenever possible.
 
Last edited:

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,507
The only time enforced password changes have any real value is after a site has been compromised and the vulnerability removed.
 

Jason5

Adherent
Joined
Jun 18, 2013
Messages
333
We can enforce password reset when we restore a database or a new script used?
 

zappaDPJ

Administrator
Joined
Aug 26, 2010
Messages
7,507
We can enforce password reset when we restore a database or a new script used?

In some cases migration to a new script will cause that to happen anyway with the likely result, the loss of a lot of members.
 
Top