Does "Block compromised credentials for new accounts" also block password changes?

Get Help
,
1

Currently we have the attack protection “Breached Password Detection” enabled with the two following toggles:

  • Block compromised credentials for new accounts (Automatically block compromised credentials when users are creating new accounts.)
  • Block compromised user accounts (Automatically block accounts that try to log in using compromised credentials.)

I’m wondering if the first toggle also prevents a user from changing their password to one that matches some compromised credentials?

It’s a bit hard to test this without compromised credentials on hand, so having an answer will help satisfy some actions we are taking after a security audit.

Thanks

3

Hey there!

That’s a really good question! Let me confirm it with the engineering team behind this feature!

5

Okay got a confirmation from the team. Currently it does not. There is a feature on our roadmap for breached password on recovery flow that will add that ability but as of now we don’t have any public dates for that. Thank you!

6

Thanks for the prompt reply, I added a feature request: Block compromised credentials on password reset / recovery flow

If anyone else would like this feature, please add your vote.