<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeCommunityForum
0D50Z00008KfTX3SANOkta Classic EngineAdministrationAnswered2025-07-27T09:00:12.000Z2018-09-05T17:24:28.000Z2020-12-10T11:49:16.000Z

uajg5 (uajg5) asked a question.

September 5, 2018 at 5:24 PM
How does Okta handle the NIST requirement of checking user passwords against known breached passwords?

NIST has a requirement to not allow passwords that have previously been breached. Is there a way to implement this into Okta?

```

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses.

```

 

https://pages.nist.gov/800-63-3/sp800-63b.html

  • 10 answers
  • 5.76K views

  • vignesh.lakshminara1.5248408386703123E12 (Okta, Inc.)

    Thank you for posting your question on the Okta Community. We have a feature to check the commonly used passwords which is an Early access feature and checks to ensure that passwords are not too weak based on a list of the most commonly used passwords. This needs to be enabled in your password policy in Okta. I would recommend you to open a case with Okta Support to have this feature enabled for your org. You can refer to our documentation for more information: https://help.okta.com/en/prod/Content/Topics/Security/Security_Policies.htm#Configur

    Expand Post
    Selected as Best

    • 00ubx0ib1DYLPTJFIOK1.4334241508650737E12 (Customer)

      Hey @vignesh.lakshminara1.5248408386703123E12 (Okta, Inc.)​  sorry to bomb this thread with hope of notifications being seen by someone to come back and respond here, but the question asked and the answer here are really not aligned and I'd like some specific comments on the state of password security and checking passwords against known breaches and custom dictionaries for example.

       

      Or do I have to start a new thread to get someone to look at this? Thanks!

       

      Expand Post

    • amvov (amvov)

      This does not answer the question.

       

      According to the documentation you linked, the Common password check tests against a "a list of the most commonly used passwords".

      I could find no documentation revealing the number of entries in Okta's common password list or the frequency that it is updated, but the list from haveibeenpwned.com has been updated about twice a year since 2017 and currently contains over a half billion passwords.

       

      While your solution technically complies with the minimum standard in the NIST guideline, @uajg5 (uajg5)​ specifically asked about "known breached" passwords, and it is disingenuous and misleading to imply that a static list of the most common passwords is equivalent to a biannually updated list of all known breached passwords.

      Expand Post

  • mike.davie1.5312945692819849E12 (Customer First Programs)

    Hello Michael,

     

    Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer. Hover over the answer and click "Best Answer." 

     

    Thank you,

    Mike Davie

    Okta Help Center

    Expand Post

  • amvov (amvov)

    Has there been any update to this feature? Testing against a list of commonly used passwords is certainly helpful, but I think the OP was referring to comparing user passwords against existing data breaches, per NIST guidelines, not just checking a list of commonly used passwords. This is a feature currently provided by competitors, such as Auth0's breached password detection.

  • 00ubx0ib1DYLPTJFIOK1.4334241508650737E12 (Customer)

    I would also like to bump this thread. It's disappointing to see that Okta appears to have ignored this for 2 years almost.

     

    Being able to validate passwords against known compromised passwords is table stakes feature wise.

     

    @vignesh.lakshminara1.5248408386703123E12 (Okta, Inc.)​  can you please respond to this with direct acknowledgement of @uajg5 (uajg5)​ 's request?

     

    As @amvov (amvov)​ points out there are many others that support this, Lastpass is another example. In fact, if you have a password that gets compromised after you store it they will notify you, although you have to enable or run a security scan on your account to get that feedback.

    Expand Post

  • miqxq (miqxq)

    Okta should seriously do better at monitoring these discussions. I mean actually have someone read and respond to them and stop with the annoying bot-like responses:

     

    "Thanks for posting your inquiry in Okta Community Portal.

     

    If you receive a great answer to your question(s), please help readers find it by marking it the best answer....."

     

    Expand Post
This question is closed.
Loading
How does Okta handle the NIST requirement of checking user passwords against known breached passwords?