There are three main differences between Breached Password Protection Express and Breached Password Protection Complete:
- The size of the database:Breached Password Protection Complete has a much larger set of compromised passwords.
- The quality of the database:Breached Password Protection Complete is updated continuously, while Breached Password Protection Express is updated every 3 or 4 months.
- The point at which the check is performed:
- Breached Password Protection Express performs checks at password change, as well as continuous (eg. nightly) checks.
- Breached Password Protection Complete performs its check immediately after password change.
Breached Password Protection Complete flow example
The following is an example of how the Breached Password Protection Complete check is performed.
- The user changes their password.
- If the new passsword complies with all other password policy rules, the new password is submitted (the user can use their new password).
- The password is checked against the Breached Password Protection Complete database.
- If the password is found to be compromised, the user's account is flagged, and they need to change their password at next logon.
- The password is not checked against the Breached Password Protection Complete database until the next password change.
Breached Password Protection Express flow example
The following is an example of how the Breached Password Protection Express check is performed.
- The user changes their password.
- The new password is checked against the Breached Password Protection Express database at password change.
- If the password is found to be compromised, the user will not be allowed to submit the change. If not, the new password is submitted.
- Breached Password Protection Express checks the password against the database continuously (e.g. nightly).
- If the password is found to be compromised in subsequent checks (provided the Breached Password Protection Express database has been updated in the meantime), the user's account will be flagged and they need to change their password at next logon.
Using Breached Password Protection Express together with Breached Password Protection Complete
Since Breached Password Protection Express and Breached Password Protection Complete perform their checks at different times, there are instances where it is beneficial to combine the two services. Consider, for example, the following scenario:
- The user changes to a new password that is present neither in the Breached Password Protection Express database, nor the Breached Password Protection Complete database, and is therefore permitted to change their password.
- In subsequent weeks/months, the new password is found to be compromised and is added to both Breached Password Protection Express and Breached Password Protection Complete.
If only Breached Password Protection Complete is used, the user's password will not be checked until the next password change. If, on the other hand, Breached Password Protection Express is also used, the user's account will be flagged, and will be forced to change their password at next logon.