Comment by asveikau
2 days ago
Sometimes when I log into a random website and I see a forced password reset, I wonder if it has been compromised, rather than setting a time-based expiry.
If a site owner knows that certain accounts are part of a database breach or something, a reasonable step would be to force the users to change the password at next login.
Another common reason to do a force password reset is if they've moved authentication providers and were not able to bring their hashes along. Some providers don't allow for hash export (Cognito, Entra).
Or just if they changed to a more secure hash algorithm themselves and want to upgrade users still on the older insecure one.
This can be done at login time without the user noticing, as you have the plaintext password for a moment.
1 reply →
They could do that by comparing against the old hash and if it matches generate the new hash to store somewhere.