Breached-password screening enabled
Demonstrate that the organization enforces automated screening of user passwords against known-breached password databases at account creation, password change, and optionally at authentication, preventing selection of compromised credentials.
Description
What this control does
Breached-password screening prevents users from selecting or retaining passwords that have been exposed in public data breaches by comparing credential hashes or values against known-compromised password databases (e.g., Have I Been Pwned, vendor threat intelligence feeds). This control is typically enforced at password creation, password reset, and optionally during periodic authentication flows. It significantly reduces credential-stuffing and brute-force attack success rates by eliminating passwords already in attacker toolkits.
Control objective
What auditing this proves
Demonstrate that the organization enforces automated screening of user passwords against known-breached password databases at account creation, password change, and optionally at authentication, preventing selection of compromised credentials.
Associated risks
Risks this control addresses
- Credential-stuffing attacks succeed using passwords harvested from third-party breaches against organizational accounts
- Brute-force attacks efficiently compromise accounts by prioritizing commonly-breached passwords
- Users unknowingly reuse passwords previously exposed in unrelated data breaches
- Attackers leverage publicly-available breach dumps to bypass password complexity requirements that do not account for real-world compromise
- Privilege escalation occurs when administrative accounts use credentials already in attacker password lists
- Regulatory non-compliance with authentication standards requiring breach-awareness (e.g., NIST 800-63B Authenticator Assurance Levels)
Testing procedure
How an auditor verifies this control
- Inventory all identity and access management platforms, authentication systems, and directory services (Active Directory, Azure AD, Okta, SSO providers) in scope.
- Review authentication policy configurations to confirm breached-password screening is enabled and identify the source database or service used (e.g., Azure AD Password Protection, Entra ID banned password lists, third-party API integrations).
- Examine configuration settings to determine enforcement scope, including whether screening applies to password creation, password reset, and/or periodic authentication events.
- Request and review documentation or configuration exports showing the frequency of breached-password database updates and the last successful synchronization timestamp.
- Perform a controlled test by attempting to create or reset a test account password using a known-breached password from public datasets (e.g., 'P@ssw0rd', 'Password123!') to verify rejection.
- Review audit logs or security event logs for a sample period (30-90 days) to identify instances where users were blocked from selecting breached passwords and confirm logging granularity.
- Validate that exceptions or bypass mechanisms are documented, justified, and restricted to specific administrative scenarios with compensating controls.
- Interview IT or identity management personnel to confirm procedures for responding to newly-disclosed breaches and updating banned password lists accordingly.
Where this control is tested