Perfect example of why habituating users to renewing credentials (typically password expiration) is a terrible practice.

▲

NooneAtAll3 4 days ago | parent | next [-]

is there an actual habituation?

that message feels like it could work as a first-time as well

▲

twoodfin 4 days ago | parent | next [-]

We should be immediately suspicious when we get any solicitation to "renew" something "expired" in a security domain. Swapping un-compromised secrets is essentially always more risky than leaving them be.

Regardless of whether the real NPM had done this in the past, decades of dumb password expiration policies have trained us that requests like this are to be expected rather than suspected.

▲

nicoburns 4 days ago | parent | prev [-]

If legitimate companies didn't do this, then the email would be suspicious.

	▲	4 days ago \| parent [-]
		[deleted]

▲

anonymars 4 days ago | parent | prev [-]

Frustrating that you're being downvoted

https://pages.nist.gov/800-63-FAQ/#q-b05