Introduction

In today’s digital landscape, most applications still rely on the classic combination of username and password for user authentication. Despite the rise of modern authentication methods, passwords remain the most widely used—and unfortunately, the most vulnerable—form of security. This makes them a prime target for attackers looking to exploit weak or reused credentials.

In this blog, I’ll walk you through how IBM Security Verify can help organisations proactively detect compromised passwords by comparing user credentials against a custom list of leaked or commonly used passwords. To learn more about Verify SaaS, visit https://www.ibm.com/docs/en/security-verify.

IBM Verify SaaS includes a powerful Password Intelligence module designed to help organisations monitor and manage password hygiene across their user base. This feature enables administrators to warn users, flag risky credentials, or even prevent the use of stolen, common, or known weak passwords during authentication or password change events.

Verify offers flexible options for password intelligence by allowing organizations to choose between two sources:

• IBM Security X-Force dictionary, which contains a curated list of known compromised and commonly used passwords.

• A custom password list, defined by the organization itself.

In this blog, I’ll focus on the custom password list use case and demonstrate how you can leverage it to proactively identify and respond to password risks within your user base

To get started, users can create a Verify SaaS trial tenant by visiting https://www.ibm.com/products/verify and clicking the “Start your free trial” button. You’ll be prompted to fill out a short form to set up your tenant

Demonstration

Lets login to our Verify SaaS tenant using our credentials, you will be greeted with a screen similar to this

I have three users named MarvinAlpha, MarvinBeta and MarvinCharlie other than admin user Rushi Yarraboina.

Once your tenant is set up, navigate to Security > Password Management within the Verify admin console. Here, you'll find two key subsections: Password Policies and Intelligence List.

For this blog, we’ll focus on the Intelligence List feature, which allows you to manage and apply password intelligence rules using either IBM’s curated dictionary or your own custom list of passwords

Click on the Intelligence List tab within the Password Management section. Here, you’ll see two key components:

• Default Password Intelligence Policy – This is the built-in policy that uses IBM’s curated password intelligence.

• Global Custom Password List – This allows you to upload and manage your own list of passwords to be checked against user credentials.

For this walkthrough, we’ll focus on the Global Custom Password List to demonstrate how you can tailor password checks to your organisation’s specific security needs

To view or edit the custom password list, click on the Global Custom Password List. You’ll have the option to download the current list to inspect its contents.

Since this is your first time accessing it, the list will contain only a single entry: the word “password” in the first column. This default entry serves as a placeholder and indicates that no additional passwords have been added yet

Next, let’s add some passwords to the CSV file and upload it to the Global Custom Password List. After adding your own passwords (with sensitive parts redacted for privacy), proceed to upload the updated CSV file. Once the upload is initiated, Verify will process the file and update the intelligence list accordingly. Let’s wait for the upload to complete before moving on to the next step

 

Once the upload is complete, navigate back to the Default Password Intelligence Policy and click the gear icon in the top-right corner to edit it.

Enable the “Custom Passwords List” option and select “Warn users with a message” as the action. This configuration ensures that when a user attempts to log in or change their password, and the password matches an entry in your custom list, they’ll receive a warning message.

Note: This warning does not block access—it simply alerts the user that their password may be risky or commonly used.

For more details on each configuration option, refer to the https://www.ibm.com/docs/en/security-verify. Once done, click Save Changes to apply the updated policy

Now, let’s test the configuration by logging in with the MarvinBeta credentials. Upon authentication, you’ll notice a warning message indicating that the password being used appears on a list of common or phished passwords.

Users are given two options:

• They can continue using the current password, acknowledging the risk.

• Or they can reset their password immediately by clicking on the “Change Password” link provided in the warning.

This approach strikes a balance between security and user experience—alerting users to potential risks without disrupting access.

To monitor password-related activity, head over to Reporting & Diagnostics > Reports > Password Intelligence in the Verify admin console. This report provides valuable insights such as user details, location, IP address, and other metadata associated with password intelligence events.

These details can be extremely helpful when investigating potential password-related incidents, identifying patterns of risky behaviour, or auditing credential hygiene across your organization

Conclusion

In this blog, we explored how IBM Verify SaaS empowers organisations to strengthen their password security posture using the Password Intelligence module. By leveraging a custom password list, administrators can proactively detect and respond to the use of weak, common, or compromised passwords within their user base