There are three main differences between Breached Password Protection Express and Breached Password Protection Complete:
- The size of the database: Breached Password Protection Complete has a much larger set of compromised passwords.
- The contents of the database: Breached Password Protection Complete is updated continuously, while Breached Password Protection Express is updated every 3 or 4 months.
- The point at which the check is performed:
- Breached Password Protection Express performs checks at password change, as well as continuous (eg. nightly) checks.
- Breached Password Protection Complete performs its check immediately after password change.
Breached Password Protection Complete flow example (Password Change)
The following is an example of how the Breached Password Protection Complete check is performed.
- The user changes their password.
- If the new passsword complies with all other password policy rules, the new password is submitted (the user can use their new password).
- The password is checked against the Breached Password Protection Complete database.
- If the password is found to be compromised, the user's account is flagged, and they need to change their password at next logon.
- The password is not checked against the Breached Password Protection Complete database until the next password change.
Breached Password Protection Express flow example
The following is an example of how the Breached Password Protection Express check is performed.
- The user changes their password.
- The new password is checked against the Breached Password Protection Express database at password change.
- If the password is found to be compromised, the user will not be allowed to submit the change. If not, the new password is submitted.
- Breached Password Protection Express checks the password against the database continuously (e.g. nightly).
- If the password is found to be compromised in subsequent checks (provided the Breached Password Protection Express database has been updated in the meantime), the user's account will be flagged and they need to change their password at next logon.
Breached Password Protection flow example (Continuous Scan)
The following is an example of how the Breached Password Protection check is performed for continuous scan.
- A continuous scan of the list is performed (either Breached Password Protection Express or Breached Password Protection Complete).
- The user's password is found to be compromised.
- The user is alerted via text or email (if so configured) and/or the user is forced to change their password at next logon (if so configured).
Using Breached Password Protection Express together with Breached Password Protection Complete
You can configure and enable Breached Password Protection Complete and Breached Password Protection Express at the same time, by selecting the Prevent passwords from the local Express list and Enable checking passwords via the Complete API checkboxes in the Password Change menu. The advantage of using both is that passwords are checked against the larger Complete database, while also providing direct feedback at password change if the new password is found in the Express list. When users change their password, Breached Password Protection Express will verify if the password is in the list of leaked passwords that has been downloaded. If the password is found in the Express list stored in your local environment, the Breached Password Protection Express rule will prevent the user from changing to that password. If it is not found in the list that is stored locally, the password will be checked against the list found in Breached Password Protection Complete upon submitting the new password. If it is found in the Complete list, the user’s account will be flagged with a “must change password” notification and they will be required to change their password at next login.