[Urgo]

While it's probably not a horrible idea to do something like this I don't think any or at least many does this currently? It wasn't a 23andme database that the attacker used, it was just some other random site/sites. So every time any website is hacked should every other website invalidate the credentials of those users on their site too?

[chii]

It is a lot of hassle, and the user isn't really protected because the invalidation relies on public releases of email/password combinations; there's obviously going to be plenty of private releases, which means it's actually just security theatre.

2FA, or passwordless logins, are the solution. Forcing the user to change their password (at the most inconvenient of times - right after they logged in, but before they're able to use the site) is annoying at best, and does nothing at worst.

[eviks]

How is it a theater to save a lot of users, but not all?

[chii]

a theatre is where you have the feeling of security, but you don't really have it in reality.

You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure, because if a password was leaked, and not discovered, then this measure doesn't prevent it. But it is imposing a cost, which cannot be measured against effectiveness.

Change the whole process to 2FA is secure because there's provable guarantees for the costs imposed, and therefore, you can make an objective decision on whether it is worth implementing.

[eviks]

But you do have security, this measure saves actual people in actual reality

> You cannot claim that just because some users are 'saved' as evidence that this is an effective security measure

Why not? Saving people from insecurities is almost by definition a measure of effectiveness

> you can make an objective decision on whether it is worth implementing.

You can't since the value factors in your "provable guarantees" and costs involved are subjective and also depend on the users' characteristics

[chii]

> this measure saves actual people in actual reality

no it doesn't. The claim is that by removing publicly leaked passwords, the user is prevented from having their logins stolen. But you didnt know if that password was going to be used for stealing - it's an assumption. You also dont know if private leaks are already being used, and is undetected.

It's the same type pf claim that the TSA (transport security authority) is saving people from terrorism.

[eviks]

> But you didnt know if that password was going to be used for stealing - it's an assumption

But you do know for a fact that these leaked passwords are used for stealing, so forcing a password change would prevent that, ergo, save some users from having their data stolen. Private leaks have no impact on this