iRacing has an event-based password expiry policy. This means that iRacing will not require periodic password changes and instead will only require password changes in the following circumstances:
- Account Inactivity
- Indication of Compromise
- Security Enhancements
Account Inactivity
iRacing invalidates the passwords of accounts that have not been accessed for some time in order to prevent them from being accessed in the event the member used the same credentials on multiple sites. This protects both the member (or former member) as well as iRacing as it means old credentials are not kept on file and reduces the impact should iRacing suffer a breach of member credentials. It also ensures that returning members will pick up the latest security settings iRacing has in place for passwords and their storage. See the Security Enhancements section below.
While the passwords of these accounts are invalidated, no content on the account is touched. All content the account had access to remains associated with that account. For additional details, see Will I ever lose use of the content/property I have licensed?
If you have an old account that has not been used in some time and would like to regain access to that account, please follow the instructions at Cannot Log In - How to Reset Your Password to being the recovery process.
Indication of Compromise
In the event that a member account is determined to be compromised by a bad actor, either by iRacing or via the member reporting suspicious activity, the password on the account will be invalidated and the user will be able to recover the account using the email address on file. Should the member no longer have access to the email address on file, they can contact Support who can work with the member to validate account ownership. If ownership cannot be established, access to the account is lost. It is therefore important to associate and maintain a valid email address with your account.
In the event that iRacing suffers a data breach involving member credentials, passwords would be invalidated. In the event of a breach, a bad actor would have access to a derived hash, not actual passwords.
Security Enhancements
This may include, but is not limited to:
- Changing the hashing function.
- Changing hashing function parameters, including work factor, secrets resource usage, etc...
- Changing password requirements.
Not all changes mentioned above would necessarily be cause for a global password reset.