Spartak - Fotolia
The New York Times reported that the infosec team at Yahoo wanted the company to force a password reset for all email accounts in the event of a major breach, but C-level management said no. Should a forced password reset be a standard practice for companies that have experienced a data breach? Are there any drawbacks to this practice?
In December 2016, Yahoo disclosed it had identified a breach from August 2013 that involved over one billion Yahoo user accounts. Previously, in September 2016, Yahoo revealed that at least 500 million user accounts were stolen in 2014. The stolen information included names, email addresses, phone numbers, dates of birth, hashed passwords and, in some cases, encrypted or unencrypted security questions and answers. The users whose information was compromised received a notification to change their passwords.
When the Yahoo information security team requested that executive management issue a forced password reset on all user accounts, Yahoo's executive management team turned the request down, stating that a forced password change would drive Yahoo's shrinking email users to other services, according to The New York Times. However, many Yahoo users were forced to change their passwords anyway.
The majority of those in the cybersecurity field would likely agree that, at a minimum, a forced password reset is a basic control after a data breach. Yahoo and other service providers also have two-step verification and multifactor authentication controls in place to secure users' access to their accounts.
The drawback to a forced password reset is that the additional keystrokes needed for a more secure account logon will put off users who do not care enough to change their passwords. That is their right to do so, but companies should consider biting the bullet and issuing a forced password reset anyway. It's better to do what is prudent, rather than to leave the majority of users exposed just to placate the few.
Ask the expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)
Learn about minted authentication cookies as they relate to the Yahoo breaches
Discover more about the indictment of the Yahoo hackers
Check out how the Yahoo breaches highlighted the role of executive management in security
Dig Deeper on Password management and policy
Related Q&A from Mike O. Villegas
A social media security policy is necessary for most enterprises today. Expert Mike O. Villegas discusses what should be included in social media ... Continue Reading
A cybersecurity training center could help security professionals continue their education, but are the benefits worth the investment for enterprises... Continue Reading
Outsourced security services are always an option for enterprises. Expert Mike O. Villegas outlines the pros and cons of using MSSPs instead of ... Continue Reading