Compromised Password Validation

Smarsh Hosted Services has introduced a new security improvement: new passwords for users will be validated to prevent from using previously compromised passwords. The validation is performed using https://haveibeenpwned.com/ database.

Account Contact can navigate to Security Policies > User Password Policies in the CONTROL PANEL to enable restriction policy. When enabled, during password reset or recovery users will be restricted from setting a compromised password.

user password policies

Note: this restriction policy doesn't apply to Account Contact. Account Contact can set any password for existing or new AD users despite the policy.

If the restriction policy is disabled Users may see a warning in the following cases:

  • Recovery of forgotten password
  • Updating the password after expiration
  • Setting up a user password after it has been reset by the administrator
  • Creating a new user in CONTROL PANEL

Important: there's no compromised password validation in My Services, only in CONTROL PANEL. There's also no validation for bulk user import & user creation via CONTROL PANEL. Users are not warned or restricted if they set a compromised password using one of these methods.

In the above cases if a user tries to use a password that has been found in the compromised passwords database, the following warning will be shown:

login

usercreation

Note: The warning is just a notification. It will not prevent a user from using this password. However, we strongly advise against using the compromised password.

Warnings can't be disabled. If restriction policy is on, Account Contacts will also see this warning if they try to use a compromised password for a user in CONTROL PANEL:

CP