Citrix Systems has recently sent a notice to many of their ShareFile collaboration software users, indicating that their password management policies will change to include a regular resetting approach from now on. Many of the users who received this message had difficulty understanding the purpose of this change, suspecting that a user data breach is a reason behind this compelling reset. However, Citrix posted an assuring blog, explaining that their action is meant to be a proactive prevention of a breach and not a reaction to one.
More specifically, Citrix explained that according to the Breach Level Index reports, 2018 has seen an unprecedented number of hacker breaches, with many attacks leading to the acquisition of credentials of people that use ShareFile. Because many people tend to use the same password across multiple websites and services, Citrix noticed a surge of account access attempts that used credentials obtained from high-profile breaches that were carried out on other platforms.
All that said, Citrix claims the forced password resets to be an excellent preventive measure against possibly having to deal with multiple account breaches later on. As a spokesperson wrote: “Citrix forced password resets with the knowledge that attacks of this nature historically come in waves. Attacker’s additional efforts adapt to the results, often turning the volume and approach of their methods. Our objective was to minimize the risk to our customers.”
Now, the regular password resetting policy is something that comes with controversy as it opposes the NIST official recommendation on the matter. As NIST rationale goes, if users are forced to change passwords frequently, they will not select a pass that is too complicated or differentiated than the previous one. Almost everyone that is submitted to a process of this type follows poor practices such as increasing a number in the password. These simple transformations do not offer reliable protection against compromises, so changing passwords in frequent intervals is not a good authentication practice.
Citrix does offer a way out of this perpetual headache for their users, declaring that all of the above applies to those who do not use the ShareFile Two-Step Verification process. This system provides adequate security to abstain from a frequent resetting, and the users who opted for the more stringent authentication process were left out of the warning circulation and the forced password reset this time. For those who don’t want to use multi-factor authentications and still want to keep things simple by using the same password across all their internet activity, a powerful password manager is the only way to go these days.
What do you think about the Citrix forced password reset? Was it a breach or a preventive measure? Let us know in the comments section or join the relevant discussions on TechNadu’s Twitter and Facebook.