Breached Password Detection

Breached Password Detection

Breached password detection protects your applications from bad actors logging in with stolen credentials. Auth0 can notify users and/or block accounts that are at risk.

Every day, malicious hackers penetrate websites and applications, exposing millions of email-password combinations. Because many people use the same password to log into multiple sites, these violations pose a problem for any application that shares the stolen credentials.

Auth0 tracks large security breaches that occur on major third-party sites. If Auth0 identifies that any of your users’ credentials were part of a breach, the breached password detection security feature triggers. In response, Auth0 can:

  • Block anyone from logging in with the user’s stolen credentials. This entirely blocks the account and prevents bad actors from accessing your application. The user can’t log in until they change their password. 

  • Send email to the user about the risk and instruct them to change their password immediately. You can customize the message sent to users. To learn more, read Customize Blocked Account Emails.

Detect breaches faster with Credential Guard

Breached password detection relies on breach data released to the public. From the time when a breach happens to when it’s announced, there is a gap (typically months) during which your users and business remain at risk. Credential Guard eliminates this gap: a team of dedicated security experts infiltrates criminal communities and gains access to exposed data as soon as breaches occur. With this advantage, you can better protect your users and secure your applications by resetting stolen passwords sooner. 

Breached Password Protection Credential Guard
Plans Pro and Enterprise Add-on option for Enterprise
Data collection Web scanners and scrapers search for user credentials in published security breaches Dedicated security team infiltrates criminal communities and gains access to breach data that isn’t otherwise available
Detection time 7-13 months 12-36 hours
Coverage English only 35 languages worldwide

To add Credential Guard to your Auth0 agreement, contact us.

Configure breached password detection

When enabled, you can customize breached password detection preferences, such as blocking compromised user accounts and sending email notifications to administrators and affected users.

  1. Go to Dashboard > Security > Attack Protection and select Breached Password Detection.

    The toggle for turning on breached password detection in Auth0

  2. To turn on breached password detection, enable the switch at the top-right corner of the page.

    Configure breached password detection in Auth0

  3. Under Detection, find Breached Password Detection Method. If your agreement with Auth0 includes Credential Guard, you can select As soon as possible, with Credential Guard and select Save to apply the change. Otherwise, leave When breach data is published selected.

  4. Under Response, enable the Block compromised user accounts switch to automatically prevent anyone from logging in using compromised credentials.

  5. Under Notifications:

    1. Enable the Send notifications to users with compromised credentials switch to send email to users when Auth0 detects that their credentials may have been compromised.

    2. Select Send notifications to account administrators and choose the notification frequency: Immediately, Daily, Weekly, or Monthly.

  6. Select Save.

To configure the URL Lifetime and Redirect To values in the Dashboard, go to Dashboard > Branding > Email Templates, locate Template, and select Change Password.

Verify detection configuration

You can verify a user's login experience when Auth0 detects a breached password:

  1. Go through your login flow using the email address leak-test@example.com and password Paaf213XXYYZZ.

  2. Check your tenant log to verify that Auth0 blocked the login and sent email that failed to be delivered. This is expected behavior; the email to recipient leak-test@example.com cannot be delivered because example.com is not a valid domain name.

  3. Delete the leak-test@example.com user.

Learn more