Breached password detection

When you next sign-in or change your password on CareHQ we'll now check to see if your password has appeared in a past data breach using haveibeenpwned (HIBP).

HIBP allows us to check a password against their database to see if it has been leaked or stolen in a past data breach. HIBP's database contains billions of passwords that have appeared in past data breaches and is continuously updated from credible sources including agencies such as the FBI (Federal Bureau of Investigation) and the UK's NCA (National Crime Agency). Whilst a match against the HIBP database doesn't necessarily indicate that the password has been breached for a specific email address or username, their exposure makes them unsuitable for ongoing use as they're at much greater risk of being used to take over other accounts.

Now whenever you sign-in to CareHQ or set a new password we check against HIBP's database to see if the password you submitted has previously been exposed and therefore should be considered unsafe. If you are signing in with an unsafe password then you'll see a warning and a link to change it. If you attempt to set a new password to one that's unsafe then the request will fail and you'll see an error message explaining why.

Keeping your sign-in safe

If you've made it this far then I want to take this opportunity to recommend a couple of actions you can take to greatly reduce the risk of your credentials being stolen and used.

  • Avoid reusing passwords across multiple websites and services, that way if a breach occurs on one them then you won't expose your accounts on other websites and services.
  • Use a password manager, such as the Google password manager, to help generate secure passwords for all your websites and to make it easy for you to gain access to them without having to remember all the passwords.
  • Use Multi-factor authentication (MFA) where available. MFA, also known as Two-factor authentication (2FA), requires you to use a second device (such as your mobile phone or tablet) when signing into a website. This means even if your password is breached the malicious actor would need to have physical access to your second authentication device in order to sign-in. CareHQ supports MFA/2FA. To enable MFA download an authentication app such as Google Authenticator on to your mobile phone or tablet, select the Security link from the main navigation and follow the onscreen instructions.