Subscribe to the Non-Human & AI Identity Journal
Home Glossary Governance, Ownership & Risk Known-Bad Password Screening
Governance, Ownership & Risk

Known-Bad Password Screening

← Back to Glossary
By NHI Mgmt Group Updated July 1, 2026 Domain: Governance, Ownership & Risk

Known-bad password screening is the practice of rejecting passwords that are weak, common, reused, or found in breach datasets before they become usable. It moves password security from after-the-fact detection to preventive identity governance at creation and reset time.

Expanded Definition

Known-bad password screening is a preventive control that checks a candidate password against denial lists before acceptance, blocking weak, common, breached, or heavily reused values at creation and reset time. In identity programs, it is used alongside length, complexity, and rate-limiting controls, but it solves a different problem: whether the chosen secret is already known to attackers or broadly predictable.

Definitions vary across vendors on how broad the screening corpus should be. Some implementations only block top-10,000 common passwords, while stronger programs also test against breached password datasets, organization-specific terms, and context-aware patterns tied to the user or NHI owner. NIST guidance treats compromised-password screening as a core authentication safeguard, and the control is especially important where service accounts, admin portals, and recovery flows still rely on passwords rather than phishing-resistant factors. The practical goal is to prevent a credential from becoming usable at all, rather than discovering its weakness after compromise.

The most common misapplication is treating password complexity rules as a substitute for screening, which occurs when an organisation accepts a long but easily guessed password that is still present in breach lists.

Examples and Use Cases

Implementing known-bad password screening rigorously often introduces a small usability and engineering cost, because password submission and reset flows must query a denylist service or local hash corpus in real time.

  • A workforce IAM portal rejects passwords that appear in breach corpora, reducing the chance that a newly reset account starts with an attacker-known secret.
  • A privileged access workflow screens candidate passwords for admin break-glass accounts, aligning with the governance concerns highlighted in the Ultimate Guide to NHIs.
  • A CI/CD system that still uses password-based access to a legacy console blocks human-readable patterns such as product names, seasons, and company branding.
  • A help desk reset process checks both exact matches and near matches, so users cannot simply append a number to a breached password and pass validation.
  • An identity team pairs screening with the password guidance in NIST Cybersecurity Framework 2.0 to support stronger authentication outcomes.

Known-bad screening is also useful for NHI-adjacent systems that still depend on operator-managed credentials, because those passwords often protect the very consoles where service accounts, API keys, and certificates are administered. NHIMG notes that 79% of organisations have experienced secrets leaks, with 77% causing tangible damage, which shows how often weak credential hygiene becomes an incident multiplier. Screening does not replace rotation, vaulting, or least privilege, but it closes the easiest path to predictable passwords. The control is most valuable where password creation is automated, high-volume, or delegated to self-service workflows.

Why It Matters in NHI Security

Known-bad password screening matters in NHI security because attackers frequently pivot through the management plane, not just the application plane. If operators can create weak passwords for vaults, consoles, service-account administration, or break-glass access, the organisation inherits a credential that is easy to guess, easy to reuse, and hard to distinguish from legitimate access until after misuse. NHIMG research shows that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, and weak password selection often sits upstream of that exposure.

Screening is particularly relevant when teams are reducing standing access under Zero Trust and trying to raise assurance around administrative workflows. It supports better hygiene, but only if it is enforced at the points where passwords are born, changed, or recovered. That means identity systems, privileged access tooling, and legacy admin paths all need the same policy, not just the primary login page. Organisations that neglect this often discover the weakness only after a vault account, help desk path, or recovery channel is abused, at which point known-bad password screening becomes operationally unavoidable to address.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST SP 800-63 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
NIST SP 800-63AAL1NIST requires memorized secret screening against compromised passwords.
NIST CSF 2.0PR.AC-7Authentication mechanisms should be strengthened and protected from weak secrets.
OWASP Non-Human Identity Top 10NHI-02Weak secret reuse and exposure are central to improper secret management risk.

Block known-bad passwords wherever NHI operators create or reset access credentials.

NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 1, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org