Breached password
Password breaches have become a prevalent threat to online security, and apps, including yours, must take proactive measures to safeguard their users' sensitive information. Ideally, you want all your users to have fresh, unique passwords that haven’t been hacked. This is difficult, but Frontegg makes it easy. This guide will tell you about Frontegg’s breached password detection and how to configure it.
How it works
The breached password engine scans user passwords during the sign-up and login process and compares them to databases of known breached passwords. This is all done without exposing passwords.
If a match is found, appropriate actions can be taken, such as requiring the user to reset their password or implementing additional security measures.
Prerequisites
Prerequisites
The following versions are required to use this feature:
@frontegg/react@6.0.4
@frontegg/angular@6.4.0
@frontegg/vue@3.0.4
@frontegg/nextjs@8.0.4
Configuring breached password
Good to know
Good to know
You only need to use breached password protection if you use passwords as one of your authentication strategies.
All you need to do is choose what should happen when a breached password is detected: Allow, Challenge, or Block.
See the next section to learn more about how user experiences will be affected by each action.
User's experience
Frontegg checks if passwords are breached in two different flows:
- Password use - e.g., during login
- Password creation - e.g., during signup or password changes
You can choose if users can use/create breached passwords or not by selecting one of the actions below:
| Action | User experience on login | User experience on password creation (signup or changing password) |
|---|---|---|
| Allow | 1. User continues to the app | User is allowed to create a password that is breached (e.g., 123456) |
| Challenge | 1. User must complete an MFA challenge 2. User continues to the app | User is not allowed to create a password that is breached |
| Block | 1. User sees a screen indicating that their password is breached and must reset it 2. User goes to their email to click a reset link | User is not allowed to create a password that is breached |
Notify end users of breached passwords
Notify end users of breached passwords
In addition to the alert that informs users that their password is breached, you can also notify them by email.
Analyzing breached passwords in your app
Security events
If you’re curious how often breached password events occur in your app, you can view them over time in Security Events to see when and where they happened.