> ## Documentation Index
> Fetch the complete documentation index at: https://docs-dev-actions-triggers-prototype.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.
> Playbook for using Auth0's Breached Password monitoring feature in the Security Center
# Breached Password Playbook
You must configure [Breached Password Protection](/docs/secure/attack-protection/breached-password-detection) and set up [alerts for thresholds](/docs/secure/security-center/security-alerts).
Adversaries can use password-based authentication as a target for attacks against your tenant. Below is for identifying and investigating potential attacks and taking the required remediation actions to protect users and minimize further risks.
### Find log events of interest
When considering a response, first sift through the log messages of interest to identify potential attacks. For example, the attack may be coming from a limited set of IPs or from a single autonomous system number (ASN) or country.
The following Auth0 tenant log event types are relevant when investigating a brute force attack.
1. `f`: failed user login
2. `fu`: failed user login due to invalid username
3. `fp`: failed user login due to invalid password
4. `pwd_leak`: attempted login with a leaked password
5. `signup_pwd_leak`: attempted to sign up with a leaked password
6. `fcoa`: failed cross-origin authentication (these events are generated by `/co/authenticate`, which [should not be enabled unless strictly required](https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks/))
7. `scoa`: successful cross-origin authentication (these events are generated by `/co/authenticate`, which [should not be enabled unless strictly required](https://sec.okta.com/articles/2024/05/detecting-cross-origin-authentication-credential-stuffing-attacks/))
### Identify breached password attacks
Attackers often employ [brute force techniques](/docs/secure/attack-protection/brute-force-protection) ([TT1110](https://attack.mitre.org/techniques/T1110/)) when trying to breach password authentication, using collections of bots to guess passwords and sign up with reused credentials to test user accounts.
#### Password guessing
Most commonly employed by unsophisticated adversaries, password guessing ([TT1110.001](https://attack.mitre.org/techniques/T1110/001/)) attackers come in with little prior knowledge of your tenant’s policies and repeatedly attempt to guess passwords in an attempt to access accounts. Since attackers are merely guessing whether a user exists with an unknown password, you will see a flood of `fp`, `fu` and `fcoa` events in your [Auth0 log events](/docs/deploy-monitor/logs/log-event-type-codes).
#### Password spraying
Adversaries employ password spraying ([TT1110.003](https://attack.mitre.org/techniques/T1110/003/)) as an opportunistic attack en masse when attempting to gain access to legitimate user accounts. Since attackers achieve their goals by trying commonly-used passwords, these attacks will frequently result in tripping Auth0’s brute force protections. Much like password guessing attacks, a high number of `fp`, `fu` and `fcoa` events in your logs are the best way to see whether attackers are attempting password spraying attacks.
#### Credential stuffing
If your tenant uses passwords without requiring an additional factor, credential stuffing ([TT1110.004](https://attack.mitre.org/techniques/T1110/004/)) is the most effective brute force attack technique. These attacks take advantage of password leaks and reuse by attempting to log in to a victim’s account using a dictionary of leaked passwords. Credential stuffing attacks frequently generate `fp` events (because the attackers are more likely to know a user exists) and `pwd_leak` events (because attackers are attempting to log in using breached credentials).
#### Mitigation strategies
A comprehensive strategy balances your business's risk tolerance and technical capabilities with the experience your users will have when they sign in. When responding, consider two main factors:
* **User friction**: evaluate the impact of mitigation measures (e.g. CAPTCHA frequency, passkey requirements, or MFA) on user experience.
* **Technical capacity**: assess your ability to implement IP blocking, WAF rules, and MFA enforcement.
Auth0 recommends a layered security approach that combines multiple mitigation techniques for optimal protection. Below are Auth0's recommendations:
* Turn on [Bot Detection](/docs/secure/attack-protection/bot-detection) and block [compromised credentials](/docs/secure/attack-protection/breached-password-detection#configure-response-scenarios), up to and including requiring MFA for potentially compromised accounts.
* Activate CAPTCHA for one or more flows and increase CAPTCHA frequency as needed, but remember that CAPTCHA is a deterrent, not a solution. For more information about bot detection, read [the Bot Detection playbook](/docs/secure/attack-protection/playbooks/bot-detection-playbook).
* Change your CAPTCHA provider if attackers bypass your current CAPTCHA or consider migrating to Auth0's Auth Challenge or another [supported provider](/docs/secure/attack-protection/bot-detection/configure-captcha).
* Change your web application firewall rules using an edge provider or use [tenant access control lists](/docs/secure/tenant-access-control-list) to block abusive IPs, autonomous system numbers, geographic locations, [TLS clients](/docs/customize/custom-domains/self-managed-certificates/tls-ssl), or HTTP header elements like `user-agent` strings.
* Tighten [Brute Force](/docs/secure/attack-protection/brute-force-protection) and [Suspicious IP](/docs/secure/attack-protection/suspicious-ip-throttling) thresholds to reduce allowed connection limits and mitigate brute-force attacks.
* Disable stateless endpoints susceptible to credential stuffing attacks by modifying your [Cross-Origin Authentication](/docs/authenticate/login/cross-origin-authentication) settings.