[asveikau]

Sometimes when I log into a random website and I see a forced password reset, I wonder if it has been compromised, rather than setting a time-based expiry.

If a site owner knows that certain accounts are part of a database breach or something, a reasonable step would be to force the users to change the password at next login.

[mooreds]

Another common reason to do a force password reset is if they've moved authentication providers and were not able to bring their hashes along. Some providers don't allow for hash export (Cognito, Entra).

[account42]

Or just if they changed to a more secure hash algorithm themselves and want to upgrade users still on the older insecure one.

[blueflow]

This can be done at login time without the user noticing, as you have the plaintext password for a moment.

[mooreds]

Yeah, this is the best practice. We offer that in our product.

But it's possible that you could follow the best practice and still force a reset. This could be because:

* the customer or provider doesn't want to wait for everyone to log in

* they've waited for N months and now there is a block of users who have not logged in yet and they think it is worth the user annoyance to just force them all to reset their password

[RealStickman_]

They could do that by comparing against the old hash and if it matches generate the new hash to store somewhere.