"In response to this, we are requiring a password reset and will be incorporating a regularly-scheduled, forced password reset into our normal operating procedures."
FFS. I thought we'd got past stupid bollocks like this.
Doing a reporting process vs. the HIBP Pwned Passwords API and then forcing resets on specific users with matching passwords (and then querying HIBP on password resets going forward) could be construed to be a useful and sensible thing to do to scotch people speculatively trying compromised passwords. Along with encouraging/pushing adoption of (token or H/TOTP - not SMS!) 2FA to outright mitigate password theft.
Arbitrarily going back to 2001 and requiring regular password resets is just stupid.
Biting the hand that feeds IT
