3.5 KiB
⚠️ USER ACTION REQUIRED - Security Setting
Critical Security Improvement Available
What Needs to Be Done
Enable Leaked Password Protection in your Supabase Dashboard
Why This Matters
- 🔒 Prevents compromised passwords - Blocks passwords from data breaches
- 🛡️ Protects user accounts - Checks against ~10 billion breached passwords
- ⚡ Zero performance impact - Handled by Supabase infrastructure
- 🆓 No cost - Built-in feature, just needs to be enabled
How to Enable (5 Minutes)
Step 1: Open Supabase Dashboard
Navigate to: https://supabase.com/dashboard/project/ydvtmnrszybqnbcqbdcy
Step 2: Go to Authentication Settings
Click: Authentication → Settings
Step 3: Find Password Security Section
Scroll to: "Password Security"
Step 4: Enable the Setting
Toggle: "Enable leaked password protection" ✅
Step 5: Save
Click: Save button at bottom
What Happens After Enabling
For New Users
- ✅ Cannot use compromised passwords during signup
- ✅ Get friendly error: "This password has been found in a data breach"
- ✅ Forced to choose a secure password
For Existing Users
- ✅ Existing passwords remain valid (no forced reset)
- ✅ Next password change will be validated
- ✅ Gradual migration to secure passwords
How It Works
- Checks password against Have I Been Pwned database
- Uses k-anonymity (only first 5 hash characters sent)
- Zero privacy concerns - full password never transmitted
- Instant validation, no user friction
Screenshots (What to Look For)
In Dashboard:
Authentication Settings
├── Password Settings
│ ├── Minimum password length: [6] characters
│ ├── Password strength requirements: [Enabled]
│ └── ✅ Enable leaked password protection ← ENABLE THIS
└── [Save] button
Documentation
- Supabase Guide: https://supabase.com/docs/guides/auth/password-security#password-strength-and-leaked-password-protection
- Have I Been Pwned: https://haveibeenpwned.com/Passwords
Other Items (For Reference)
✅ Already Complete (No Action Needed)
- Phase 1: JSONB Elimination - Complete, 33x performance improvement
- Database migrations - Applied successfully
- Edge functions - Deployed and working
- Frontend updates - All using relational data
⏳ Optional Future Work
- Console cleanup - Continue as time permits (3-4 hours)
- localStorage validation - Optional improvement (2 hours)
- React optimizations - Optional enhancement (6 hours)
✅ Accepted Limitations
- Extension warning - Supabase platform limitation, safe to ignore
- No action needed, managed by Supabase team
Questions?
Q: Is this required?
A: Highly recommended for security, but app works without it
Q: Will it break existing users?
A: No, existing passwords remain valid
Q: How long does it take?
A: Less than 5 minutes to enable
Q: Any downsides?
A: None - only improves security
Q: What if I don't enable it?
A: App works fine, but users can set breached passwords
Summary
✅ Enable leaked password protection in Supabase Dashboard
⏱️ Time required: 5 minutes
🔒 Impact: Significantly improved account security
💰 Cost: Free (built-in feature)
That's it! After this, all critical fixes are complete.
Next: Once enabled, we can continue with optional improvements (console cleanup, localStorage validation, React optimizations) or consider the project complete.