Leaked Password Protection on Supabase
Supabase Auth ships with an optional integration with HaveIBeenPwned that rejects passwords found in known breaches. It's off by default · a single toggle in Auth > Providers > Email turns it on. With ~700 million known compromised passwords in circulation, this is the highest-value single click in Supabase security.
Common misconfigurations
- Feature disabled by default · Every new Supabase project ships with leaked-password protection off. The default should be on for any project accepting real user signups.
- No minimum password length set · Alongside HIBP, set a minimum length (12+ chars). Length beats complexity rules for real-world security.
- Password login without rate limits · Even with HIBP, unrestricted login attempts enable credential stuffing. Supabase's built-in rate limits should stay on.
- No MFA option offered · For accounts with real value (payments, admin), offer TOTP MFA. Supabase supports it natively.
Frequently asked
How does Supabase check for leaked passwords?
It hashes the password with SHA-1, sends the first 5 hex chars to the HaveIBeenPwned k-Anonymity API, and matches locally. Your password never leaves the server.
Does this slow signup down?
By milliseconds. Users won't notice.
Is it enough on its own?
It blocks the easiest attack (reused breached passwords). Combine with MFA for accounts that matter.
Scan for this issue →