Skip to main content

Prevent the use of breached passwords


The system must check new passwords against a list of 1000 to 10000 breached passwords.


There are various mechanisms for cracking passwords that use public lists containing breached credentials. Systems must check submitted passwords against some of these lists and prevent account creation and password update operations that use passwords contained in them.


  • CAPEC-16: Dictionary-based Password Attack: An attacker tries each of the words in a dictionary as passwords to gain access to the system via some user's account. If the password chosen by the user was a word within the dictionary, this attack will be successful (in the absence of other mitigations).

  • CAPEC-560: Use of Known Domain Credentials: An adversary guesses or obtains (i.e., steals or purchases) legitimate credentials (e.g., userID/password) to achieve authentication and to perform authorized actions under the guise of an authenticated user or service.

  • CWE-521: Weak Password Requirements: The product does not require that users should have strong passwords, which makes it easier for attackers to compromise user accounts.

  • NIST 800-63B Memorized Secret Verifiers: Verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected or compromised.

  • OWASP Top 10 A2:2017-Broken Authentication: Application functions related to authentication and session management are often implemented incorrectly, allowing attackers to compromise passwords, keys, or session tokens, or to exploit other implementation flaws to assume other users' identities temporarily or permanently.

  • OWASP-ASVS v4.0.1 V2.1 Password Security Requirements.(2.1.7): Verify that passwords submitted during account registration, login, and password change are checked against a set of breached passwords either locally or using an external API.

  • OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.1): Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.

  • PCI DSS v3.2.1 - Requirement 6.5.10: Address common coding vulnerabilities in software-development processes such as broken authentication and session management.