Is it bad practice to prompt users to reset password when there is no evidence of a breach?
I have received many security emails from LinkedIn over the past few weeks. An example is shown below (redaction mine)
I do not live in the USA and I did not try to access LinkedIn at the times these were received.
Two things suggested to me that this could be a phishing email
- A slight grammatical mistake "to prevent anybody else from account." It seems unlikely to me that such a large company would make a mistake like this on such a vital email.
- "Change your password right away" encouraging me to take a sensitive action with some urgency
However, as far as I can tell, this is not a phishing email. All links appear to be legitimate and nothing else appears suspicious. I think this email message has been triggered by an "attacker" knowing my email address and trying to use it for passwordless sign in. Also, I changed my password by visiting LinkedIn independently, and I have still been regularly receiving these emails so it is unlikely they know my password.
My question is: assuming this email is legitimate, is it bad practice to prompt a user to reset their password when there is no evidence of a password breach? And what, if any, are the advantages?
I see two reasons it could be bad practice:
- It makes the user comfortable with following unprompted email links to reset their password and so might raise less suspicion in the case that there is a phishing email
- For those not using password managers, unnecessarily rotating passwords encourages easy to remember (and therefore, usually weak) passwords.
I can't see any advantage to asking a user to change their password immediately.