Breached Password Detection

Breached Password Detection

Breached password detection protects your applications from bad actors signing up or logging in with stolen credentials. Auth0 can notify users and/or block accounts that are at risk.

Auth0 tracks large security breaches that occur on major third-party sites. If Auth0 identifies that any of your users’ credentials were part of a breach, the breached password detection security feature triggers. In response, Auth0 can:

  • Block new users from signing up with stolen credentials. Entirely blocks the username/password combination.

  • Block anyone from logging in with the stolen credentials. Entirely blocks the account and prevents bad actors from accessing your application. The user can’t log in until they change their password. 

  • Send an email to the user when a login attempt happens. The email informs users about the risk and instructs them to change their password immediately. You can customize the message sent to users.To learn more, read Customize Blocked Account Emails.

Detect breaches faster with Credential Guard

Breached password detection relies on breach data released to the public. Credential Guard is an additional Auth0 service you can add to breach password detection that screens for breaches to allow faster notification of compromised credentials.

Breached Password Protection Credential Guard
Plans Pro and Enterprise Add-on option for Enterprise
Data collection Web scanners and scrapers search for user credentials in published security breaches Dedicated security team infiltrates criminal communities and gains access to breach data that isn’t otherwise available
Detection time 7-13 months 12-36 hours
Coverage English only 35 languages worldwide

To add Credential Guard to your Auth0 agreement, contact us.

Configure breached password detection

When enabled, you can customize breached password detection preferences, such as blocking compromised user accounts and sending email notifications to administrators and affected users.

  1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

    The toggle for turning on breached password detection in Auth0

  2. To turn on breached password detection, enable the switch at the top-right corner of the page.

    Configure breached password detection in Auth0

  3. Under Detection, find Breached Password Detection Method. If your agreement with Auth0 includes Credential Guard, select As soon as possible, with Credential Guard and select Save to apply the change. Otherwise, leave When breach data is published selected.

    Dashboard > Security > Attack Protection > Breached Password > Detection

  4. Under Response, you can choose to block bad actors using stolen credentials to sign up and/or login:

    1. If you are using the New Universal Login experience, enable Block compromised credentials for new accounts to block compromised credential use upon sign up. Select Block compromised user accounts to block compromised credential use upon login.

    2. If you are using the Classic Universal Login experience, update your SDK before enabling the block for new accounts. Select Block compromised user accounts to block compromised credential use upon login.

      Dashboard > Security > Attack Protection > Breached Password > Response

  5. Under Notifications:

    1. Enable the Send notifications to users with compromised credentials switch to send email to users when Auth0 detects that their credentials may have been compromised.

    2. Select Send notifications to account administrators.

    3.  Toggle on for administrators to be notified of: Compromised credentials for new accounts Compromised user accounts (existing)

    4. Choose the notification frequency: Immediately, Daily, Weekly, or Monthly.

      Dashboard > Security > Attack Protection > Breached Password > Notification

  6. Select Save.

  7. Configure the change password notification sent to your users when compromised credentials are used for login. 

    1. Navigate to Dashboard > Branding > Email Templates

    2. In the Template dropdown menu, select the Change Password template.

    3. Determine the URL Lifetime, or how long the reset password link is usable. The default is 5 days, 432,000 seconds.

    4. Enter the Redirect To values to determine where users land once the password has been changed.

To configure the URL Lifetime and Redirect To values in the Dashboard, go to Dashboard > Branding > Email Templates, locate Template, and select Change Password.

Verify detection configuration

You can verify a user's login experience when Auth0 detects a breached password:

  1. Create a test user in Dashboard > User Management > User.

  2. Go through your login flow with a test email and password Paaf213XXYYZZ.

  3. Navigate to Dashboard > Monitoring > Logs.

  4. Search the logs for type: "signup_pwd_leak" to verify Auth0 blocked the signup or login and sent an email.

  5. Navigate to Dashboard > User Management > User to delete the test user.

Learn more