Verifone, a massive credit card point-of-sales machine manufacturer, has been breached. On Jan 23, 2017 an urgent email from Verifone’s CIO, Steve Horan required employees to change their password. Verifone supposedly was breached in mid-2016 and was just able to find out which systems were compromised. Fortunately the only systems that were compromised were internal networks in the corporate offices. No POS devices were compromised as of yet.
https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/
Why do companies tend to have users change their passwords themselves as an initial step to interact with employees or consumers after a potential security breach? Isn’t such reaction become too predictable for hackers? If so, aren’t they using this in their own advantage? I’m not saying it’s a bad strategy to suggest so; however, I believe a superior approach should be developed. For example, companies can implement a system that automatically assign a random/temporary password to users, then prompt them to create a new one instantly after a security breach. This will allow more users to change passwords faster and help all internal parties focus better on the best tactic to combat the system breach.