Auth0 Home Blog Docs

How do you disable login errors due to leaked credentials?



How do I disable this heinous atrocity? It is freaking out our customers and has nothing to do with our app. Auth0 has been ok so far, but this is a real flop from their product team, you are supposed to behave like a white-label manner, not flush our UX down the toilet with scary alerts that provide no context.

![alt text][1]


There’re a couple of things worth mentioning in relation to this situation. The behavior you describe is part of anomaly detection, in particular, the breached password detection. You can disable this functionality through your dashboard (IIRC, by default it starts as disabled for a new tenant/domain) which should then eliminate the source of the error message in question.

In addition, when using Lock, you can fully customize the text displayed by the library so in this case you could provide a custom error message by doing something similar to the following:

options.languageDictionary.error.login.password_leaked = "[your_custom_msg_with_context_here]";

Finally, it’s correct that the source of the issue not related to your client application, however, the end-user is performing authentication with credentials that are available online for someone sufficiently determined to find which means that the account that end-user has in your own client application can be controlled by attackers. In this scenario, even if the source of the issue is not your client application I would say the end-users would be more comfortable in knowing you prevented such an attack.


I don’t disagree that it is good information to know and potentially find a way to present it, however in current form over the last 48 hours we have lost over 10 users because they think our app was hacked based on this message. We expect that number may go up because they are also now spreading that we were hacked and don’t provide a secure authentication system.

I think there are some serious ramifications of trying to assimilate Website A and Website B together that have no relation to each other. We are already making plans to leave Auth0 but I think this idea is only half-baked.


hi @david4 what alternatives are you considering?


@brightertools We are leaning towards Passport.js right now


@brightertools We are leaning towards Passport.js right now