Currently we have the attack protection “Breached Password Detection” enabled with the two following toggles:
- Block compromised credentials for new accounts (Automatically block compromised credentials when users are creating new accounts.)
- Block compromised user accounts (Automatically block accounts that try to log in using compromised credentials.)
I’m wondering if the first toggle also prevents a user from changing their password to one that matches some compromised credentials?
It’s a bit hard to test this without compromised credentials on hand, so having an answer will help satisfy some actions we are taking after a security audit.