Resetting passwords at Regular Intervals

[Jason5]

Do you initiate a password reset at regular intervals or make the users use the same password as long as they stay in the forum.

What do you think is an ideal time to ask the users to reset their passwords?

 

[R0binHood]

The UK National Cyber Security Center currently advises against this.

https://www.ncsc.gov.uk/collection/passwords/updating-your-approach

Don't enforce regular password expiry
Regular password changing harms rather than improves security. Many systems will force users to change their password at regular intervals, typically every 30, 60 or 90 days. This imposes burdens on the user and there are costs associated with recovering accounts.

Forcing password expiry carries no real benefits because:

• the user is likely to choose new passwords that are only minor variations of the old
• stolen passwords are generally exploited immediately
• resetting the password gives you no information about whether a compromise has occurred
• an attacker with access to the account will probably also receive the request to reset the password
• if compromised via insecure storage, the attacker will be able to find the new password in the same place

Instead of forcing expiry, you should counter the illicit use of compromised passwords by:

• ensuring an effective movers/leavers process is in place
• automatically locking out inactive accounts
• monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
• encouraging users to report when something is suspicious

You can also mitigate the risk of compromised accounts by using MFA, which will make a compromised password less useful to an attacker. Some MFA methods (such as SMS or email notifications) can even warn the user that they have been compromised, as they will receive a code when they did not request it. If you are using this form of MFA, you should encourage users to report this behaviour through your training.

Note: Users must change their passwords when you know (or suspect) it has been compromised.

 

[R0binHood]

The National Institute of Standard and Technology in the US also recommends the same.

https://pages.nist.gov/800-63-FAQ/#q-b5

Q-B5: Is password expiration no longer recommended?

A-B5: SP 800-63B Section 5.1.1.2 paragraph 9 states:

“Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.

 

[Jason5]

Omg i didn't know something like this exists. Thanks for sharing the valuable information.

 

[MagicalAzareal]

They also use really weak passwords if they know you can see their password. Always hash

monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)

You might want to make this optional as there are some users who travel a lot.

For IPs, this might change if they're using some sort of VPN, mobile network, etc.
For cookies, someone might be using something like incognito mode for privacy.

The best thing to do is to encourage people to use 2FA. High security contexts may also require alerts, but convienience is a big thing for forums whenever possible.

 

[zappaDPJ]

The only time enforced password changes have any real value is after a site has been compromised and the vulnerability removed.

 

[Jason5]

We can enforce password reset when we restore a database or a new script used?

 

[zappaDPJ]

We can enforce password reset when we restore a database or a new script used?

In some cases migration to a new script will cause that to happen anyway with the likely result, the loss of a lot of members.