Does "Block compromised credentials for new accounts" also block password changes?

Currently we have the attack protection “Breached Password Detection” enabled with the two following toggles:

  • Block compromised credentials for new accounts (Automatically block compromised credentials when users are creating new accounts.)
  • Block compromised user accounts (Automatically block accounts that try to log in using compromised credentials.)

I’m wondering if the first toggle also prevents a user from changing their password to one that matches some compromised credentials?

It’s a bit hard to test this without compromised credentials on hand, so having an answer will help satisfy some actions we are taking after a security audit.


Hey there!

That’s a really good question! Let me confirm it with the engineering team behind this feature!

Okay got a confirmation from the team. Currently it does not. There is a feature on our roadmap for breached password on recovery flow that will add that ability but as of now we don’t have any public dates for that. Thank you!

Thanks for the prompt reply, I added a feature request: Block compromised credentials on password reset / recovery flow

If anyone else would like this feature, please add your vote.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.