Currently we have the attack protection “Breached Password Detection” enabled with the two following toggles:
Block compromised credentials for new accounts (Automatically block compromised credentials when users are creating new accounts.)
Block compromised user accounts (Automatically block accounts that try to log in using compromised credentials.)
I’m wondering if the first toggle also prevents a user from changing their password to one that matches some compromised credentials?
It’s a bit hard to test this without compromised credentials on hand, so having an answer will help satisfy some actions we are taking after a security audit.
Okay got a confirmation from the team. Currently it does not. There is a feature on our roadmap for breached password on recovery flow that will add that ability but as of now we don’t have any public dates for that. Thank you!