After a data breach, what is the best practice to ensure users' credentials remain secure during a reset?

Using encrypted credentials in transit is a best practice to ensure that users' credentials remain secure during a reset. This means that any data, including usernames and passwords, is protected using encryption when it is sent over a network. By encrypting credentials, even if the data is intercepted by an unauthorized party during the reset process, it would be extremely difficult for them to read or misuse the credentials due to the encryption.

This method protects against various threats, including man-in-the-middle attacks, where an attacker might attempt to capture sensitive information as it travels between the user’s device and the server. By ensuring that credentials are encrypted in transit, organizations can help maintain the confidentiality and integrity of sensitive information during critical processes such as password resets.

The other options may contribute to overall security but do not specifically address the need for securing credentials during a reset. A password reuse policy could actually pose a risk if users reuse passwords from other sites. An account lockout policy is useful for thwarting brute force attacks but does not specifically protect credentials during the reset process. Geofencing policies add a layer of security by restricting logins based on geographic locations, but again, they don’t directly influence the security of credential transmission during resets.