You should not ask your users to change passwords after a breach. Here's why

Data breaches most of the times are caused by human error, vulnerability in system, malware or by identity theft (stolen credentials).

Breaches may have financial and reputational effect on an organization but the end users leave with the consequences of the breach. Ranging from synthetic identity, account takeover, spear-phishing, privacy implications, financial loss and others.

Data breaches most of the times are caused by human error, vulnerability in system, malware or by identity theft (stolen credentials).

According to Gemalto data breach index identity theft is still the number one cause data breaches.

Data breaches like that of United Nations, FedEx, Ai.type …………………………and so many others are caused by human error – misconfiguration/unprotected data storage and web servers. There is not weakness in the underlying systems neither were security measures defeated in the systems, they are as a result of not putting any unauthorized restrictions on the system – no password or any credentials required to access them. In these types of breaches, the system was left open for anyone who cares to access.

Data breaches such as that of Equifax, T-Mobile ... and others are caused by vulnerability in their systems. Could be as a result of unpatched already identified security issues, zero-day attack, bugs in software, APIs or lack of adequate security control measures.

The type of breach that affected British Airways, Ticketfly, Ticketmaster where malicious code was injected into their applications could be classified as Malware attacks.

Others that involves using a stolen credentials to establish unauthorize access to a system as in the case of Reddit, Time hop, Macy, Yahoo, PEXA and others is regarded as identity theft. This may be as a result of weak/insecure credentials, phishing, spear phishing, credential surfing, insider threat etc.

In all these data breaches,PIIs as such email address, phone number, credit card data, medical history, address, etc.  are the number one target of attackers.  When an employee account is breached - the endusers bears the consequences the most. As a result of a single breach which is never the fault of an end user can lead to the end user's identity been stolen forever. E.g.  the stolen database of 5.6million US federal employees in 2015 means that those involved are at risk to use their fingerprint biometric. The same goes to stolen medical records - the users can change their passwords to new stronger authentication methods, but the stolen medical records can never be changed, it belongs to that individual for a lifetime.

The first security measure by most organizations is to force and /or ask the users to change their passwords (credentials) during a breach.

Why are the user's advised to change their password after a breach?

Some organisations do it as precautionary measure, others because the login credentials were not secured properly. Even if only hashes of the compromised credentials are accessed by an unauthorized entity, there's no certainty that hash functions won’t be broken in the near future.  The same is applicable where the stolen credentials were in encrypted form. The encryption key is sitting somewhere and if that key gets into unauthorized hands all the hidden credentials will be revealed.

One of the major reasons why users are asked to change their password after a breach is to prevent cross-referencing with data stolen from other breaches to guess/reset the user's account credentials. For example, Equifax and Yahoo, Under Armour, breach revealed billions of users emails and in some cases passwords. If the same email revealed in Equifax or Yahoo is the same used by a user on another breached site and the attacker happens to get the email's password from the earlier breach then the same password could be used to access the user's account if their reused them. Or better still, the hacker could use the email already under their control to reset the user's password on the other site(s)that the same email were used on. For this reason, most companies advice users to change their passwords after a breach even when the passwords are not compromised.

"They’re mainly damaging in connection with other data. For instance, the hackers could put 2 and 2 together by cross-referencing this list of 92 million with a list of emails whose corresponding passwords were known via some other breach. That’s why it’s good to use a password manager and have unique passwords for every site."another reasons might be that of the possibility the encryption or hashing algorithm been broken and in some cases, organizations use weak hash function such as MD5 and SHA1 to secure passwords.

Changing the password doesn’t really solve the problem. The real problem is password itself!

Passwords are difficult to remember, you can’t prevent password reuse, it can be phished or guessed and also, the method of password reset.

Most organizations use email address/phone number as a factor to prove the ownership of an account during password change/reset. Organizations cannot control how the email address or phone number being used as a way to reset account credentials are secured. It doesn’t make sense to even bother the user about changing their password in the first place, because if the same password being change is reused for the email or the email is not properly secured with MFA is still the same as not changing the breached password as the attacker might even been in control of the email already. This was the case of PEXA data breach where a hacker managed to compromise an employee email address and then intercepted the password reset link to change the account password and stole up to $250,000 from the settlement of a family property in Australia.  The same security issue affects organizations that use SMS code as a reset method and /or as a second factor.This was the cause of Reddit August 2018 data breach where an attacker intercepted SMS second factor code to gain unauthorized access toReddit’s cloud services.

The security of a user account depends and/or is equivalent to the security of the email address, phone number or any other methods that could be used to reset the account credentials.

Security breaches must happen, is just a matter of when and how. Then, why don’t organizations adopt a more resilient security approach at first rather than changing passwords after a breach?

For example, if an organization use an authentication solution where they don’t store any user authentication secret either in a hashed or encrypted form then there is no reason to ask users to change passwords after a breach.  Also, the organisation won’t need to manage passwords anymore.  According to NIST – “authentication protocols that do not require the verifier to persistently store secrets that could be used for authentication are considered stronger".

Password-less Authentication solutions that don’t store any user authentication secret either in hashed or unencrypted form is far more secure and is verifier compromise resistant compared to solutions that makes use of passwords, SMS code and OTPs to authenticate a user.