Okta evaluates common passwords using a continuously updated list of nearly one million breached or sprayed passwords. When a password policy uses the Common password check, Okta performs a case-insensitive evaluation to reject over 2.5 billion commonly used password combinations.
- Okta Identity Engine (OIE)
- Okta Classic Engine
- Password Policy
- Security
- Management & Monitoring
- Active Directory Password Policy
How does Okta evaluate common passwords?
Okta maintains a common password list containing nearly 1,000,000 passwords from various sources, including breached and spray passwords. Okta uses case-insensitive matching, meaning it treats matching upper- and lowercase letters similarly. For example, Okta rejects both PASSWORD and password, as well as any case combinations. This case-insensitive evaluation effectively prevents the use of over 2.5 billion commonly used passwords.
NOTE: Okta continuously monitors the industry security landscape and updates the list. Okta has no set schedule for updating this list, but Okta updates the data ad hoc as more information becomes available. Okta does not make this list public.
