Enabling Leaked‑Password Protection in Supabase

Supabase provides a Leaked‑Password Protection feature that checks new passwords against the HaveIBeenPwned database and blocks those that have appeared in known data breaches. The toggle for this security option lives in the Auth settings of your project dashboard.

Where to Find the Setting

1. Open your Supabase project in the Supabase dashboard.
2. In the left‑hand navigation, select Authentication.
3. Click Settings (under the Authentication menu).
4. Scroll to the Password Security section.
5. Locate the toggle/checkbox labeled “Prevent leaked passwords” (or “Leaked password protection”) and switch it on.

Path: Supabase Dashboard → Authentication → Settings → Password Security

Key Details

• Plan requirement: The feature is only available on Pro (or higher) plans ¹.
• How it works: When enabled, Supabase queries the HaveIBeenPwned breach database during sign‑up or password‑change operations. If the chosen password is found in a breach, the request is rejected, forcing the user to pick a safer password ².
• User experience: The setting appears as a simple toggle or checkbox, making it straightforward to enable or disable without any code changes.

Quick Checklist

• ✅ Verify you are on a Pro (or higher) plan.
• ✅ Navigate to Authentication → Settings → Password Security.
• ✅ Turn on Prevent leaked passwords.

Once activated, your Supabase Auth flow will automatically block compromised passwords, strengthening the overall security of your application.