Password Change on Compromise
Plain English Translation
Organizations must force users to change their passwords immediately if there is any suspicion or proof that their account has been compromised. A prompt password reset policy prevents unauthorized access and limits potential damage during a security incident.
Technical Implementation
Use the tabs below to select your organization size.
Required Actions (startup)
- Document procedures for manually forcing a password reset when an account is suspected of compromise.
- Ensure all active sessions are revoked when a password is reset.
Required Actions (scaleup)
- Integrate threat intelligence or dark web monitoring to automatically flag exposed credentials.
- Implement self-service password reset tools with MFA validation.
Required Actions (enterprise)
- Automate password resets and session revocation via SOAR platforms triggered by SIEM alerts.
- Enforce conditional access policies that block access from risky IP addresses until a secure password reset is completed.
Evidence Required
You should force a password reset immediately upon detection or reasonable suspicion that an account's credentials have been exposed or unauthorized access has occurred.
Suspicion includes irregular login locations, impossible travel alerts, detection of credentials in a dark web dump, or a user reporting a successful phishing attempt.
You must define clear triggers in your incident response plan and have the technical capability to force password resets and revoke active sessions for affected users. Tools like WatchDog Security's Compliance Center can map this requirement to actionable tasks, assign owners, and track supporting evidence (e.g., reset logs and incident tickets) for audit readiness.
Typically, only the affected accounts require a reset unless the scope of the breach is unknown or there is evidence of a widespread directory compromise.
Passwords must be changed as soon as the exposure is suspected to minimize the window of opportunity for an attacker to access the network.
Administrators can check the User must change password at next logon box in Active Directory, or use the Require re-register MFA and Reset password options in Entra ID.
Yes, revoking active sessions and tokens is critical because attackers can use existing sessions to maintain access even after the password change after breach.
Maintain audit logs of the administrative action triggering the reset, helpdesk tickets documenting the incident, and system logs showing the user successfully authenticating with a new password. Tools like WatchDog Security's Compliance Center can centralize these artifacts, request missing evidence, and generate an auditor-friendly evidence package.
Contact users through an out-of-band method, such as a direct phone call or an in-person conversation, and instruct them to navigate directly to the official portal rather than clicking a link.
You should ensure multi-factor authentication is active, monitor the account for unusual post-reset activity, and verify that no malicious mailbox forwarding rules or backdoors were created.
Auditors typically expect you to show the trigger (alert, report, or investigation note), the administrative action that enforced the reset, and the resulting authentication/session-revocation logs. Tools like WatchDog Security's Compliance Center can link these artifacts to the control, assign remediation tasks, and keep an evidence trail you can export for audits.
Consistency reduces mistakes during time-sensitive incidents and helps avoid phishing-like communications. Tools like WatchDog Security's Policy Management can maintain approved procedures and user-facing templates with version control, review workflows, and acknowledgement tracking so teams follow the same playbook.
| Version | Date | Author | Description |
|---|---|---|---|
| 1.0.0 | 2026-02-25 | WatchDog Security GRC Team | Initial publication |
