Single post in Account Breach incident

Oh gosh, password expiration on a casual game site is not a good idea at all. Modern 2FA solves the problem much more effectively and with much less annoyance. Security professionals have studied this and concluded that password expiration is most likely a outdated concept for many use cases. People who are subject to frequent password changes are more likely to create worse passwords, and often make their passwords sequential in some way (ex: password1, password2, password3...) How would you even handle old users coming back with an expired password? If you allow them to reset it right then using the old password you have not prevented the attack that happened here. If you require email address involvement you end up with a lot more tickets when people can't remember which email they signed up with. Sorry for the TL;DR but I feel strongly about this.