How do we tell a user that when they logged in we noticed their password was insecure?
I'm not entirely certain if this belongs on Information Security or here, so if it needs moved I'll delete it and repost.
An application I'm developing has a "feature" that alerts a user when a password they logged in with does not meet the password requirements. While this is not a common situation, it is possible that the password requirements were hardened after the user last changed their password. We test this on login, by validating the password they logged in with against the new requirements. If the password does not meet the new requirements, login is allowed but we inform the user via. a somewhat ugly message that their password doesn't meet the requirements.
The message, for those who cannot view the image, is:
It looks like the last password you logged in with doesn't meet our requirements, we would really appreciate it if you would visit the @Html.ActionLink("'Change your password'", "ChangePassword") page and update it to meet them. Until then, we'll show you this reminder each time you login.
It's completely dismissible, and that works for the duration of the current session, so if you log-out then back in it will show up again, or if you log in on a different device it will appear again. However, if you do anything to update your password to conform to the newer restrictions, we remove the message as soon as that happens, so if you are logged on on three devices, and change your password on a fourth, the three others will have that message disappear on the next page load.
I'm not sure what is best, because any message implies that we don't store passwords securely (we do, we only test this on login and then flag the user profile), so I'm curious if there is an accepted behavior when it comes to this.
I thought about adding a tool tip that says "How do we know this?" and when the user hovers, explaining what method is used to show the message.
Every time you login we re-test your password against the policies configured in this website, if your password no longer meets these policies, we alert you. We also validate your password against recent data-breaches, to ensure we can provide the safest experience possible.