This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 39%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKJ%3C/text%3E%3C/svg%3E)
I'm writing to inform you about a recent security incident we encountered within our organization. Unfortunately, we experienced some insider phishing attacks that compromised certain email accounts. As a precautionary measure, we immediately reset the passwords for these compromised accounts. However, upon further investigation, we discovered that both the old and new passwords remain active for 180 minutes or more specially when sending the multiple mails, posing a potential security risk.
We kindly request your assistance in providing guidance on how we can effectively reduce the duration for which both passwords remain active. Any advice or recommendations you can offer would be greatly appreciated.
Regards
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(112.00000000000001, 24%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
Regarding your question, it sounds like you are concerned about the duration for which both the old and new passwords remain active. I can suggest a few general best practices that may be helpful:
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
actually thats not my case,when we reset password for user same user can use old and both password for loging,email and there device.
so we dig some more and found that Beginning with Microsoft Windows Server 2003 Service Pack 1 (SP1), there is a change to NTLM network authentication behavior. Domain users can use their old password to access the network for one hour after the password is changed. Existing components that are designed to use Kerberos for authentication are not affected by this change.
The goal of this change is to allow background processes such as services to continue running for some time until an administrator has the opportunity to update the credentials for the new password.
with this change we can restrict users loging to their devices. but they still able to go in to their emails