txqqe (txqqe) asked a question.
Breached passwords check
Hello,
I have seen a number of posts about this, but nothing recent and am hoping I could get an update. Does Okta check passwords against a breached password database of any sort? Can the platform warn a user or admin that a password have been breached before? I know that admins can create password policies, but there may be an instance where a user meets the complexity rules of the policy, but the password may still have appeared in a breach.
Any update on this would be helpful.
Many thanks,
Tristan
Hi Tristan Eley,
Hope you are doing good!
Please be informed that whenever any user, irrespective the roles- an end user or an admin tries to reset the password which is considered in the list of breached passwords by Okta, gets an error message/ warning, and cannot make use of that breached password.
Enclosing the snapshot for your reference:
One must enable the "Common password check" feature within in Password Policy, to verify the new passwords against the breached password list.
Please let me know if this addresses your query. If so, kindly upvote.
Hi Jijo,
Thank you so much for the response.
I would like to clarify- this is for when a user updates, changes or sets their Okta password, right?
I have simulated a user experience by assigning a new app and setting the Sign On option to 'user sets username and password'. When the user updates their credentials, Okta allows them to set the password Password123 without giving them any warning that this is a weak or breached password. How can I configure apps so that users are not allowed to use weak or breached passwords when configuring apps? My desired outcome is that users are forced to update their password on the app before adding it to their Okta environment. Does that make sense?
Many thanks in advance.
Tristan
Hi Tristan Eley
Okta do not have the capability to control the password complexity for the third party applications.