Leaked password protection

Clerk refers to the National Institute of Standards and Technology (NIST) guidelines to determine its handling of leaked passwords:

When processing requests to establish and change memorized secrets, verifiers SHALL compare the prospective secrets against a list that contains values known to be commonly-used, expected, or compromised. For example, the list MAY include, but is not limited to:

  • Passwords obtained from previous breach corpuses.

NIST Special Publication 800-63B

Specifically, Clerk contracts with have i been pwned to compare prospective passwords against its corpus of over 10 billion leaked credentials.