Arbitrary forced password change

GreatMarko

New Member
So about 30 mins ago I received a worrying notification from my server that the "Account [root] password has changed", fearing my server had been hacked, I immediately opened a support ticket, and was told:

"our admin group is working on a lot of awesome goodies behind the scenes to be able to offer more features and options to our customers. As part of this roll out one of the things we're focusing on is enhanced security for our users and their servers. It was determined during an audit of our systems that to ensure the security of your server the current root password needed to be changed due to it's age. To ensure this occurs we have force disabled your existing root password"

15mins later I then received an email explaining much the same:
"During a routine systems check we have determined that the root password on your server has not been changed in many years. Due to the age of your password we have currently placed a block on it's usage until a new password has been entered via our secure portal.."

So whilst they really should have sent this email well before they changed my root password without my knowledge - causing me to break into a real sweat!, my concern is WHY KnownHost are arbitrarily expiring passwords simply because of their age?

This goes against current NIST and official UK Government guidance and actually HARMS rather than improves security!

See:
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
https://www.ncsc.gov.uk/articles/problems-forcing-regular-password-expiry
https://arstechnica.com/security/20...-the-enemy-of-security-ftc-technologist-says/

Perhaps KnownHost would care to comment?
 
Top