We take data security very seriously here at HR Partner - after all, we are handling very private data that could result in serious damage should it fall into the wrong hands.
As most other SaaS providers do, we strongly encourage our users (and their employees) to choose very safe passwords when creating an account on our system. But that is often harder to manage than it sounds.
So what we did today was to integrate Troy Hunt's very excellent Have I Been Pwned? API into our system.
Now, when a new HR Partner user is created, or when either an HR admin user or an employee creates/changes their password, it will be compared against the HIBP database within seconds, and a warning will be posted for the user to tell them how seriously they risk someone guessing or cracking their password.
This is what they will see if they use a common password when creating a new user & company in trial mode:
And this is what an admin user will see if he/she changes their password to a simplistic one:
Please note that we do not prevent users from using such passwords - we are after all, not big brother. However, we hope that the message above is strong enough to encourage our users to at least revisit their password choices and improve them on our system.
NOTE: We have been asked by a couple of users if we can audit the existing admin & employee passwords in the system to see which ones are at risk, but unfortunately, that is impossible to do, as once the password is saved to our database, it is totally encrypted internally, and none of our team can decrypt it to find out the original password, even if we really, really wanted to - sorry!