Posted By Cody on 12 Nov 2019 10:38 PM
I think this can be configured your probably the first to have this happen.
2FA I am looking into hoping I can make some kind of PR efforts on this however looking at FIDO2 maybe this is a better solution. Anyone have any thoughts on this?
No, Stefan is not the first to experience this problem.
Forcing a password change is a dumb idea, in my opinion. Are we to be treated as if we do not know what we are doing? What makes you think that forcing a change of password is more secure than keeping an existing STRONG password? Surely it must be as easy for a hacker to crack the second or subsequent password as it is the first.
I do understand that if someone's device is compromised, and their password to this site is stolen, the "hacker" could then access this site with the stolen credentials. What benefit would that be; post a few messages before being blocked?
We want people posting here, not getting p1$$ed of because they can't login due to a forced password change and then, as in my case, not getting the password reset email. I am lucky in that I knowsomeone who could reset my password for me ;)