This article explains how Auth0's Breached Password Detection feature functions when used with a custom database. Users may observe this feature blocking user sign-up, login, or password reset attempts even when passwords are not stored in the Auth0 database.

• Custom Database
• Breached Password Detection

Auth0's authentication pipeline checks credentials against a known database of breached passwords before executing custom database scripts. When a user attempts an action like logging in or signing up, the system hashes the provided password and compares it against the breach database. This check is an internal part of the authentication flow and does not depend on where the password is ultimately stored.

The Breached Password Detection feature applies to the following scenarios when a custom database is in use, regardless of whether the user import (migration) mode is enabled or disabled:

• User Creation: Blocks new users from signing up with a compromised password.
• Login: Blocks existing users from logging in with a compromised password, prompting a password reset.
• Password Reset: Prevents users from setting a new password that is known to be compromised.