Spartak - Fotolia

Should a forced password reset be standard after a data breach?

Yahoo reportedly rejected a forced password reset after numerous data breaches compromised user data. Expert Mike O. Villegas discusses whether this should be a standard practice.

The New York Times reported that the infosec team at Yahoo wanted the company to force a password reset for all email accounts in the event of a major breach, but C-level management said no. Should a forced password reset be a standard practice for companies that have experienced a data breach? Are there any drawbacks to this practice?

In December 2016, Yahoo disclosed it had identified a breach from August 2013 that involved over one billion Yahoo user accounts. Previously, in September 2016, Yahoo revealed that at least 500 million user accounts were stolen in 2014. The stolen information included names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The users whose information was compromised received a notification to change their passwords.

When the Yahoo information security team requested that executive management issue a forced password reset on all user accounts, Yahoo's executive management team turned the request down, stating that a forced password change would drive Yahoo's shrinking email users to other services, according to The New York Times. However, many Yahoo users were forced to change their passwords anyway.

The majority of those in the cybersecurity field would likely agree that, at a minimum, a forced password reset is a basic control after a data breach. Yahoo and other service providers also have two-step verification and multifactor authentication controls in place to secure users' access to their accounts.

The drawback to a forced password reset is that the additional keystrokes needed for a more secure account logon will put off users who do not care enough to change their passwords. That is their right to do so, but companies should consider biting the bullet and issuing a forced password reset anyway. It's better to do what is prudent, rather than to leave the majority of users exposed just to placate the few.

Ask the expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn about minted authentication cookies as they relate to the Yahoo breaches

Discover more about the indictment of the Yahoo hackers

Check out how the Yahoo breaches highlighted the role of executive management in security

This was last published in April 2017

Dig Deeper on Identity and access management