Checking for Compromised Passwords

When a Lumity user selects or updates a password, the password is checked against those obtained from previous data breaches. This practice adheres to the Digital Identity Guidelines provided by the National Institute of Standards and Technology (NIST) in Special Publication 800-63B

  • The site we use to inspect the password you enter is HaveIBeenPwned (HIBP).

    • HIBP is a free resource anyone can use to determine whether an online account may have been compromised or “pwned” in a data breach.
    • The site was created by web security expert, Troy Hunt, as a service to the public. Learn more.
  • Lumity checks whether a password has been compromised:

    • When a new user initially selects a password, and/or 
    • When an existing user attempts to update their password. 
  • If you are notified that your attempted password is compromised:

    • This DOES NOT imply that your data stored in Lumity has been breached; 
    • However, if you’ve used this password for other accounts, we strongly suggest you update your password(s). 
    • See “Best Practices” below. 
  • Once you have a validated password, it is protected in our database using the password hashing function bcrypt.

Best Practices for Account Security

  • Use a long (minimum 8 characters) and unique password for each account you have. 
  • Consider using a cloud-synchronized password manager.
  • To limit your data breach exposure, don’t reuse the same password on multiple sites.
  • Consider signing up for HaveIBeenPwned notifications (no need to provide your password). 

Additional Reading:
NIST: Easy Ways to Build a Better P@$5w0rd (10/4/17)

Rate this article:
Thank you for your feedback!

Clear ROI. Better Outcomes. Engaged Employees.

Learn more about our partnership approach to help you achieve your benefits goals