A control that checks proposed passwords against known breach datasets or published password corpora before allowing them to be set. It helps stop users from choosing credentials that may satisfy length or complexity rules but are already exposed to attackers.
Expanded Definition
Leaked-password screening is a preventive password control that rejects credentials found in breach corpora, public password lists, or other known-compromised datasets before the password is accepted. In NHI and IAM programs, it is best understood as a quality gate on credential selection, not as a substitute for password length, complexity, or MFA. Standards and vendor implementations vary: some products compare against curated breach hashes, while others use k-anonymity, local blocklists, or online reputation checks. The security value comes from removing passwords attackers already know or can guess cheaply from prior exposure. This control is especially relevant for admin portals, shared service access, and recovery flows where a reused password can become a fast path to account takeover. Microsoft Entra password protection is one widely documented implementation pattern, while the broader identity guidance in NIST SP 800-63B supports blocking compromised secrets as part of memorized secret policy. The most common misapplication is treating leaked-password screening as a one-time setup, which occurs when organisations fail to update breach lists or apply the check only to new users.
Examples and Use Cases
Implementing leaked-password screening rigorously often introduces user friction and operational overhead, requiring organisations to weigh stronger credential hygiene against occasional password reset failures and help desk exceptions.
- A workforce directory rejects a new password because it appears in a breach corpus, even though it meets the site’s length rules.
- A privileged admin account is blocked from using a recycled password that was exposed in a prior third-party incident, reducing the chance of rapid lateral movement.
- A customer IAM flow screens passwords against known leaked lists during sign-up and reset, reducing account takeovers from credential stuffing.
- A service portal applies the control to break-glass or recovery passwords, where reuse risk is high and detection windows are short.
- Security teams pair screening with rotation and offboarding controls described in the Ultimate Guide to NHIs — Why NHI Security Matters Now and the Guide to the Secret Sprawl Challenge, especially where passwords are still used around APIs, CI/CD, or fallback access.
Research on automated intrusion pressure also matters here: the Anthropic report on AI-orchestrated cyber espionage reinforces why exposed credentials should not be allowed to persist in any credential workflow.
Why It Matters in NHI Security
Leaked-password screening matters because non-human identities often inherit weak human password habits when teams create local admin users, vendor break-glass accounts, or legacy service accounts. In those cases, a password that has already appeared in public breach data can become an immediate credential-stuffing target, especially when the same secret is reused across systems. NHIMG research shows that 79% of organisations have experienced secrets leaks and 77% of those incidents resulted in tangible damage, which makes exposed-secret prevention a practical governance issue rather than a cosmetic control. The control also supports zero trust by reducing the likelihood that an attacker can leverage a guessed or reused password as a foothold into API consoles, vaults, or privileged workflows. That matters even more where NHIs outnumber human identities by 25x to 50x and where visibility is weak, because a single compromised password can mask broader secret sprawl. Organisational resistance usually fades only after a credential-based incident, at which point leaked-password screening becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-01 | Addresses weak or reused credential patterns that allow NHI account compromise. |
| NIST SP 800-63 | 5.1.1.2 | Recommends rejecting compromised memorized secrets during enrollment and reset. |
| NIST CSF 2.0 | PR.AA | Supports authentication controls that prevent credential misuse and account takeover. |
Add leaked-password screening to identity workflows that govern authentication strength.
