1. Attack Protection
  • Overview
  • Application Guides
    • Frontend
      • Get Started - React App
      • Get Started - HTML and JS
      • Get Started - Angular JS
      • Get Started - Next JS App
    • Backend
      • Get Started - Node JS
      • Get Started - Golang
      • Get Started - ASP.NET
      • Get Started - JAVA
  • Dashboard
    • API Credentials
    • Organization
    • Social Login
    • Customize Email Template
    • Configure Custom Domain
    • IT Admin Portal
  • Authentication
    • Login Widget
    • Magic Link
    • Google Social Login
    • Multi-Factor Authentication
    • Single Sign-On Overview
    • Setup SSO Connection
  • Security
    • Overview
    • Authentication
      • Password Hashing and Storage
      • Multi-Factor Authentication Methods and Implementation
      • Session Management
    • Attack Protection
      • Bot Detection
      • Breached Password Detection
      • Brute Force Protection
      • Log Events
      • Secure JSON Web Tokens (JWT)
      • Secure OpenID Connect (OIDC)
      • Suspicious IP Throttling
    • Data Security
      • Data Encryption At Rest and In Transit
      • Secure Storage of Secrets (Keys, Credentials)
      • Sensitive Data Handling
    • Infrastructure
      • Security Considerations for Cloud Provider or Deployment Model
      • Threat Modeling
  • API References
    • Authentication
      • MagicLink
        • Email a Magic Link
        • Resend Email Magic Link
        • Verify Magic Link
        • Ping Status
      • Magic Auth Code
        • Email a Magic Auth Code
        • Resend Magic Auth Code
        • Verify Magic Auth Code
      • Phone Authentication
        • Send Magic Auth Code via SMS
        • Resend Magic Auth Code via SMS
        • Phone Magic Auth Verify
      • PassKey
        • Initiate Passkey Login
        • Passkey Registration Initialize
        • Finish Passkey Authentication
        • Complete Passkey Registration
        • Check User Passkey Authentication Status
        • List User PassKey Credentials
        • Update Passkey Name
        • Delete Associated Passkey
      • GET Auth Status
    • Token
      • Refresh Token
      • Access Token By Auth Code
    • Mutli-Factor Authentication (MFA)
      • MFA Access Token
      • List of Authenticators
      • MFA Enroll TOTP
      • Initiate MFA
      • QR Code Image API
      • Validate MFA Token
      • Get Backup Code
    • Role And Permission
      • List All Roles
      • List All Permission
      • Create New Role
      • Update Existing Role
      • Update Permission By Permission Id
      • Remove Organization Role By Role Id
      • Remove Organization Permission By Permission Id
    • User Management
      • List All Users
      • GET User By User Id
      • GET User by User Email Address
      • Create a User
      • Update User by User Id
      • Verify User Status By User Id
      • Delete User By User Id
      • Manage User Roles
      • GET Users Organizations
      • GET User Login Logs
    • Organization
      • Add New Organization
      • Get Organization
      • Get All Organization
      • Update Organization
      • Delete Organization
      • GET Configuration By Client Id
      • GET Configuration By Custom Domain
  1. Attack Protection

Breached Password Detection

Introduction
Compromised passwords are a major security threat, posing a significant risk of unauthorized account access and data breaches. SSOJet implements advanced breached password detection techniques to identify and mitigate this risk, protecting user accounts and organizational data. This document provides a detailed overview of SSOJet's breached password detection strategies.
Scope
This document covers the following aspects of breached password detection:
Methods for identifying breached passwords
Integration with SSOJet
Best practices for breached password detection
Ongoing maintenance and updates
Methods for Identifying Breached Passwords
SSOJet utilizes multiple methods to identify passwords that have been compromised in data breaches:
1.
Password Blacklists
Maintaining comprehensive databases of breached passwords obtained from reputable sources.
Blocking login attempts using passwords found on blacklists.
2.
Password Hashing
Storing passwords securely using one-way hashing algorithms.
Comparing entered passwords against hashed versions in the database, without ever storing passwords in plain text.
Checking hashed passwords against known breached password hashes without revealing the original password.
3.
Password Risk Scoring
Analyzing password characteristics such as length, complexity, and common patterns.
Assigning risk scores to passwords based on these characteristics.
Flagging high-risk passwords for further validation or prompting users to change them.
4.
Third-Party Breach Monitoring Services
Integrating with third-party breach monitoring services that track leaks and compromised credentials.
Receiving alerts when user credentials appear in a known data breach.
Integration with SSOJet
SSOJet seamlessly integrates breached password detection into its authentication process:
1.
Real-time Checks
Checking passwords against blacklists and risk scoring in real-time during login attempts.
Preventing access attempts using breached passwords immediately.
2.
Adaptive Security
Continuously updating password blacklists based on the latest breach information.
Refining risk-scoring algorithms to adapt to evolving threats and password patterns.
3.
User Education
Prompting users to change passwords identified as breached or high-risk.
Educating users on creating strong, unique passwords for improved security.
4.
Security Measures
Implementing robust security measures to protect password data, including encryption at rest and in transit.
Following industry best practices for secure password storage and handling.
Best Practices for Breached Password Detection
SSOJet adheres to best practices to ensure effective breached password detection:
1.
Multi-layered Approach
Combining password blacklists, risk scoring, and breach monitoring for comprehensive protection.
Regularly evaluating and updating detection methods to address new threats.
2.
User Awareness
Educating users about the importance of strong passwords and the risks of password reuse.
Encouraging users to enable two-factor authentication for added security.
3.
Transparency and Communication
Informing users if their credentials are detected in a breach and prompting them to change their passwords.
Communicating security practices openly to maintain user trust.
4.
Regular Reviews and Audits
Conducting periodic reviews of breached password detection methods for effectiveness.
Performing security audits to identify and address potential vulnerabilities.
Ongoing Maintenance and Updates
SSOJet is committed to continuous improvement of its breached password detection:
1.
Blacklist Updates
Continuously monitoring and updating password blacklists with the latest breached credential information.
Utilizing threat intelligence feeds to stay informed about emerging threats and password compromise risks.
2.
Security Enhancements
Regularly evaluating and enhancing breached password detection algorithms for improved accuracy.
Implementing new detection methods as security best practices and technologies evolve.
3.
User Education Initiatives
Providing ongoing security awareness programs to educate users about password hygiene and best practices.
Offering password management tools to help users create and maintain strong, unique passwords.
Conclusion
SSOJet prioritizes user account security by employing advanced breached password detection techniques. Through a combination of password blacklists, risk scoring, breach monitoring, and user education, SSOJet safeguards user accounts and organizational data from unauthorized access. Ongoing maintenance and updates ensure that SSOJet's breached password detection remains robust and adapts to ever-changing security landscapes.
For any security-related inquiries or to report a security incident, please contact our security team at:
Email: support@ssojet.com
This document provides a comprehensive overview of SSOJet's breached password detection strategies. It can be further expanded upon to include specific details about SSOJet's implementation or tailored to address the needs of a particular organization.
Modified at 2024-06-18 09:10:12
Previous
Bot Detection
Next
Brute Force Protection
Built with