Account Security
Breached Password Detection
Prevent users from using passwords that have been compromised in known third-party data breaches.
Breached Password Detection
One of the greatest modern security risks is password reuse. When a user has the same password for multiple services, a data breach at one company can expose their accounts everywhere. Our always-on Breached Password Detection feature proactively protects your users and your application from this widespread threat.How It Works
Our system continuously monitors data from major public security breaches. When a user attempts to sign up or log in, we check their password against this massive database of known compromised credentials. This check is performed securely and instantly, without ever exposing or storing the user’s password in a reversible format.For administrators interested in understanding this mechanism, any password starting with
AUTH0-TEST- will be treated as breached, allowing you to observe the user experience safely.The User Experience
During Signup
If a new user tries to register with a password that is known to have been breached, the signup is blocked. They will receive an error message preventing them from using the compromised password and will be prompted to choose a different, more secure one. This enforces good password hygiene from the very beginning.During Login
If an existing user attempts to log in with credentials that have been identified in a breach since their last login, the attempt is blocked. The user is informed that their account is at risk and will be required to reset their password before they can regain access.What This Means for Your Security
- Automatic Enforcement of Password Hygiene: You don’t have to rely on users to follow best practices; the system automatically prevents the use of known-bad passwords.
- Protection from Credential Stuffing: This feature is a powerful defense against credential stuffing attacks, where attackers use lists of breached passwords to try and gain access.
- Enhanced User Trust: Users are protected even if their credentials are compromised on other platforms, reinforcing the security and integrity of your application.