Skip to main content

Password Policy and Compromised Credentials Detection

Benefits

Using password policies and compromised credentials detection provides:

  • Proactive Security: Prevent the use of passwords already exposed in data breaches
  • User Protection: Alert users when their chosen passwords are unsafe
  • Compliance: Meet security standards requiring protection against known compromised credentials
  • Attack Prevention: Stop attackers from using common or leaked passwords
  • Easy Integration: Simple to add to registration and password change flows

Overview

The problem: Many passwords are weak or have been exposed in data breaches. Attackers use lists of common passwords and leaked credentials to break into accounts.

Common password problems:

  • Simple passwords like "12345" or "password"
  • Passwords reused across multiple websites
  • Passwords that appeared in data breaches (like when a company gets hacked)

cidaas solves this with two tools that work together:

  1. Password Policies - Force users to create strong passwords with specific rules
  2. Compromised Credentials Detection - Check if a password has been exposed in known data breaches

Why Both Mechanisms Matter

Think of it like a house with two locks:

  • Password Policy = A strong lock (makes passwords hard to guess)
  • Compromised Credentials Detection = A security system (knows which keys have been stolen)

Even if a password is strong (meets all complexity rules), it's still dangerous if it appeared in a data breach. That's why you need both:

  • Password policies ensure passwords are hard to guess
  • Compromised credential detection ensures passwords haven't been leaked

Together, they create strong protection.

Password Policy

Password policies allow you to set appropriate password strength requirements for your cidaas instance. You can configure rules such as minimum length, character complexity, expiration periods, and password history to prevent weak or predictable passwords.

Learn more: Password Policy Configuration

Compromised Credentials Detection

Compromised Credentials Detection checks if a password has been exposed in data breaches. You can use this when users register or change their password.

How It Works

cidaas uses data from Have I Been Pwned, which keeps a huge database of passwords that appeared in data breaches. When you check a password:

  1. cidaas checks it against the breach database
  2. Your actual password is never stored or sent in plain text (privacy protected)
  3. You get back a simple answer: is this password safe or not?

The API tells you:

  • iscompromised - true if the password was found in breaches, false if it's safe
  • count - How many times this password appeared in breach databases

If iscompromised is false and count is 0, the password is safe to use.

Compromised Credentials Detection API

Endpoint: POST /breach

Request Example:

curl --location --request POST 'https://common-services.cidaas.de/breach?request_id=c894dc28-5fcb-43d0-bd98-eaf63bfd61e3' \
--header 'Content-Type: application/json' \
--header 'x-public-url: https://cidaas-in-action.cidaas.de' \
--data-raw '{
  "password": "1234",
  "isHash": false
}'

Response Example:

{
  "iscompromised": true,
  "count": 1371079
}

In this example, the password "1234" has been compromised and appears in breach databases 1,371,079 times.

Password Policy API

Additional Resources

To understand more about password security, explore these resources:

warning

Need Support?

Please contact us directly on our support page.