I think this is a great feature, Pwned Passwords the fact we get to compare existing passwords in real time with previously exposed passwords in databreachs is amazing. To top it off, the force password change feature is handy – i dont need to manually do anything my clients have been notified and instantly have updated their passwords. However, i always recommend 2FA – but i know for most this may be inconvenient, in these cases the pwned passwords feature helps bridge the possible security gap by advising for stronger password use.

To end it off i agree – security is ever-evolving.

The Best Defense Doesn’t Stop There…

It’s our pleasure! Glad you’re enjoying Defender’s security and we are regularly adding more and more…

Cheers!

We are already using the WAF firewall protection and blocking IP addresses and usernames automatically. This is a strong addition to keeping hackers out, and I’m sure some users will also be surprised to know that they have passwords that have been breached! Many people don’t even know that these lists exist.

I have also read that forcing a change of password too often leads to users choosing weak passwords…. mostly because they just don’t want to think up something unique or use something they can’t remember. So the above comment was a good reminder of that.

Thanks for keeping us secure.

We had couple of requests for forcing password reset on set times in the past, however, there are multiple sources that show that this actually isn’t a good practice as average users end up setting less secure passwords due to it.

So forcing change of leaked passwords only turned out to be more viable solution.

Cheers,
Predrag

Here’s an idea for the force bulk password change for all users. Not sure if you guys are already considering this.

How about a timer for this feature? How about allowing super admins set a time to force users of their network to change passwords. Every 3 months, every 6 months, etc.