The system must check new passwords
against a list of 1000 to 10000 breached passwords.
There exist various mechanisms for cracking passwords that use public lists
containing breached credentials.
Systems must check submitted passwords against some of these lists and prevent
account creation and password update operations that use passwords contained in
V2.2 General Authenticator Requirements.(2.2.1)
Verify that anti-automation controls are effective at mitigating breached
credential testing, brute force, and account lockout attacks.
Such controls include blocking the most common breached passwords,
soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts,
IP address restrictions,
or risk-based restrictions such as location, first login on a device,
recent attempts to unlock the account, or similar.
Verify that no more than 100 failed attempts per hour is possible on a single