What's the threat scenario where forcing a password reset increases security? I'm genuinely curious, because I feel it's often the case that password expirations might introduce more threats than they mitigate.
> What's the threat scenario where forcing a password reset increases security? I'm genuinely curious, because I feel it's often the case that password expirations might introduce more threats than they mitigate.
Not every reset is due to expiration... e.g. if you know a user reused a password from a different service that got hacked on your service, you should probably make them reset it...
