Breached Password Detection

Every day, malicious hackers penetrate websites and applications, exposing thousands of emails and passwords. Because it's common for users to use the same password to login to multiple sites, this poses a problem, not only for the hacked system, but for any application that shares those breached passwords.

Auth0 tracks large security breaches that are happening on major third-party sites to help secure your users and system. By enabling breached password detection, when a trigger occurs, your users can be notified and/or blocked from logging in if we suspect their credentials were part of a published security breach.

You can configure the URL Lifetime and Redirect To values in the Dashboard by going to Emails > Templates > Change Password Template.

Breached password detection also works when logging in using the Resource Owner Password Grant (ROPG) and when using custom databases with your tenants.

When a user receives an email requesting that they change their password immediately, it is because their account could be the victim of a security breach. This may be the result of a compromise by a third-party application that experienced a security breach. The breach may not have happened to this account, but based on available data, the user's credentials may have been released. Since many people reuse passwords, the request to change passwords is a precaution to make sure the user stays protected. Users may also want to change their password at any other sites where they suspect they used a shared password.

You can customize blocked account emails.

Users can't usually prevent certain sites from experiencing security breaches, but there are some things they can do to help keep their accounts safe.

Check where an email is coming from and the links that they provide. Often phishing emails do not include a user's name but something generic such as "Dear Customer".

Always do a password reset through the actual site itself not via potentially false links in emails. Also, note that a secure website URL always starts with https.

Here are some links for password resets on commonly-used sites:

Emails in general are not very secure and are not a good way to communicate sensitive information. A trusted company/application would not ask for information in this way. Make sure not to enter confidential information through false links in emails.

Most web browsers detect suspicious sites. An alert should appear when you try to access a malicious site. Never download files from suspicious emails or websites.

When one site has a breach of user data, if a user uses the same credentials elsewhere, the information in other sites can also be accessed. The only way to prevent this is by not reusing passwords for multiple sites. The problem is that remembering countless passwords is frustrating and often impossible. One solution to this problem is the use of a password manager. There are many password managers available which can help users to use separate and secure passwords for each account, but at the same time not be responsible for remembering all of them.

The longer a password is, the harder it becomes to be guessed via brute force methods. Many sites allow the use of pass-phrases (a phrase or sentence instead of just a complicated word.) Try to make passwords long and use a mix of special characters, numbers, and upper- and lowercase letters.

Applications release patches and updates when they find security vulnerabilities in their systems. Keeping applications, web browsers, and operating systems up to date can help prevent security breaches.

If you use Gmail, Google offers the Security Checkup tool to let you know if there are any security issues related to your inbox.

You can also use third-party tools, such as websites like HaveIBeenPwned to see if there might be security issues associated with your email address.

You can verify the users' login experience when the breached password is detected.

Go through your login flow using the email address leak-test@example.com and password Paaf213XXYYZZ.
Check your tenant log to verify that the login was blocked and that an email was sent and failed to be delivered, which is expected behavior. The email to recipient leak-test@example.com cannot be delivered because the example.com is not a valid domain name.
Delete the leak-test@example.com user after you verify that the user was blocked.

Breached password detection depends on the IP address of the user. Because of this, the following use cases are not supported:

Using the Resource Owner Password Grant from the backend of the application: Using this call does not get the IP address of the user.
Authenticating a large number of users from the same IP address: Users who are behind a proxy are more likely to reach set limits and trigger breached password detection. To avoid erroneously triggering detection, configure an AllowList for the proxy's IP and CIDR range.

Docs